Hi, This returns 0 results. It's most likely because I don't currently have a user who has a score over 100. I need the search to add the scores or combine the rows of users who show up more than once in the logs. I removed the table and clicked the "user" interesting fields to show that there are two users who have a count of 2. That makes them show up twice in the logs with two separate scores. I need a way to combine any user that has a count of more than 1 to show their total score. Thanks for your continued help! Screenshot http://pasteboard.co/9MCXOBt.png ... View more

So I have a tool that gives user's scores. I have logs coming into Splunk for this tool. For some reason the logs in splunk shows one user with two separate scores when I use this search: index=test sourcetype=test2 | WHERE score>=100 | eval Date=strftime(_time, " %d %b %Y %H:%I:%S") | table Date, user, score I'm only concerned about users who have a score if 100 or above. The user who shows up twice in Splunk has a score above 100 in my tool but on the logs in Splunk the user is shown twice with two different scores (that add up to over 100). Basically the user shows up in the table twice. example user | score bmith | 56 rscott | 26 jdoe | 78 kwarren | 112 bsmith | 48 I'm trying to achieve this: user | score bsmith | 104 kwarren | 112 ... View more

the thing is user is not an integer...can this be achieved via Distinct Count somehow? ... View more