Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

search group by

cheeseng
New Member
‎07-12-2012 12:39 AM

I am doing a internal audit for splunk log, the query is following

index="_audit" action = edit_user NOT "search" |table timestamp user object operation

result:

timestamp                  user      object     operation
07-12-2012 15:07:53.419    admin     cheeseng   edit 
07-12-2012 15:07:53.419    admin     cheeseng   list 
07-12-2012 14:56:18.475    admin     admin      edit 
07-12-2012 14:56:18.475    admin     admin      list 
07-12-2012 14:56:18.475    admin     cheeseng   edit

I am wondering how to group the result base on timestamp meaning same time of event should in a group
thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2012 02:12 AM

You could use stats and group by _time and user:

index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time

If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:

index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎07-12-2012 02:12 AM

You could use stats and group by _time and user:

index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time

If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:

index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...