I am doing a internal audit for splunk log, the query is following
index="_audit" action = edit_user NOT "search" |table timestamp user object operation
result:
timestamp user object operation
07-12-2012 15:07:53.419 admin cheeseng edit
07-12-2012 15:07:53.419 admin cheeseng list
07-12-2012 14:56:18.475 admin admin edit
07-12-2012 14:56:18.475 admin admin list
07-12-2012 14:56:18.475 admin cheeseng edit
I am wondering how to group the result base on timestamp meaning same time of event should in a group
thanks
... View more