Hi, I'm new to Splunk so any help would be greatly appreciated. I'm trying to do two different things, and I'm not quite sure how it's done. I need to be able to do a count of how many times a user made modifications on a specific server, but an hour break between modification is count as a different instance. I also need to be able to sort the data, so it'll show the Location, Server Name, Username, and the count.
I'm able to use the stats count to sort and give me a count of the instance, but I don't know how to combine multiple instances on a specific server by a user if they are not more than 1 hour apart.
Thanks.
Here's what the logs look like:
Security,Sep 3, 2012 8:33:48 PM EDT, jdoe Security:4624, 192.10.1.21, fileserver, Chicago,
Security,Sep 12, 2012 10:54:26 AM EDT, jsmith Security:4624, 192.10.2.59, printserver, Seattle
Security,Sep 3, 2012 8:33:47 PM EDT, jdoe Security:4624, 192.10.1.21, fileserver, Chicago
Security,Sep 12, 2012 10:54:26 AM EDT, jsmith Security:4624, 192.10.2.59, printserver, Seattle
Security,Sep 3, 2012 8:40:48 PM EDT, jdoe Security:4624, 192.10.1.21, fileserver, Chicago
Security,Sep 12, 2012 10:59:26 AM EDT, jsmith Security:4624, 192.10.1.59, printserver, Seattle
Security,Sep 3, 2012 8:50:47 PM EDT, jdoe Security:4624, 192.10.2.21, fileserver, Chicago
Security,Sep 12, 2012 11:02:26 AM EDT, jsmith Security:4624, 192.10.1.59, printserver, Seattle
Here's what I want to be able to see:
Location User IP Date Count
Seattle Jdoe 192.10.1.21 Sep 3, 2012 8:33 PM EDT 2
Seattle Jdoe 192.10.1.21 Sep 3, 2012 8:40 PM EDT 1
Seattle Jdoe 192.10.1.21 Sep 3, 2012 8:50 PM EDT 1
Chicago jsmith 192.10.2.59 Sep 12, 2012 10:54 AM EDT 2
Chicago jsmith 192.10.2.59 Sep 12, 2012 10:59 AM EDT 2
... View more