Hi,
Well I think the way to do this is to look at your 3 objects (USER_ID,COMPANY,UID) and then break them out into fields something like this (assuming they are not already fields pulled out and Splunk doesn't already recognize them)
source=<mysqlquerylow> "SELECT * FROM SAMPLE WHERE" | regex (?<usrid>" USER_ID = '(\w+\s\w+)') | regex (?<cmpy>" and COMPANY = '(\w+\s\w+\D)') | regex (?<uid>" and UID = (\d+)" | eval yourfield="SELECT
* FROM SAMPLE WHERE "+ursid+cmpy+uid | stats count(newfield)
The benefit of this is you can report on the fields you extracted and count them individually (i.e. how often is UID 9999 coming up)
... View more