Hi,
I'm attempting to obtain a unique list of users who where on a server within a small time window (1 second). I'm not looking for the count but rather the user id of each user.
Logs look somewhat like this:
2012-02-25 21:58:58,950 -0700 level=INFO ServerName=app1.domain.com userid=1234566
I've tried various transaction approaches similar to this:
"ServerName=app1.domain.com" | dedup userid | transaction fields="_time" maxspan=1s
This doesn't end up giving me what I'm looking for. I'm certainly no Splunk expert (rather just a beginner) and I'm sure this is possible...I just haven't been able to find a way to accomplish this.
Thanks,
Steve
... View more