Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search group by

cheeseng
New Member
‎07-12-2012 12:39 AM

I am doing a internal audit for splunk log, the query is following

index="_audit" action = edit_user NOT "search" |table timestamp user object operation

result:

timestamp                  user      object     operation
07-12-2012 15:07:53.419    admin     cheeseng   edit 
07-12-2012 15:07:53.419    admin     cheeseng   list 
07-12-2012 14:56:18.475    admin     admin      edit 
07-12-2012 14:56:18.475    admin     admin      list 
07-12-2012 14:56:18.475    admin     cheeseng   edit

I am wondering how to group the result base on timestamp meaning same time of event should in a group
thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2012 02:12 AM

You could use stats and group by _time and user:

index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time

If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:

index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2012 02:12 AM

You could use stats and group by _time and user:

index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time

If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:

index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...