Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- search group by
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am doing a internal audit for splunk log, the query is following
index="_audit" action = edit_user NOT "search" |table timestamp user object operation
result:
timestamp user object operation
07-12-2012 15:07:53.419 admin cheeseng edit
07-12-2012 15:07:53.419 admin cheeseng list
07-12-2012 14:56:18.475 admin admin edit
07-12-2012 14:56:18.475 admin admin list
07-12-2012 14:56:18.475 admin cheeseng edit
I am wondering how to group the result base on timestamp meaning same time of event should in a group
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use stats and group by _time and user:
index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time
If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:
index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use stats and group by _time and user:
index="_audit" action=edit_user NOT search | stats values(object) as object,values(operation) as operation by user,_time
If you have events that happen at roughly the same time but not the exact same time, and you want to group them together anyway, you could use bucket to do that. For instance to group together events that happened within the same second:
index="_audit" action=edit_user NOT search | bucket _time span=1s | stats values(object) as object,values(operation) as operation by user,_time
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
