https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480538#M134663 <P>I have the following search</P> <PRE><CODE>index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) | chart count by src_location,action </CODE></PRE> <P>This results in a nice stacked column chart showing actions (allowed &amp; blocked) per src_location.<BR /> What I need to do is only show those src_locations where the total count (allowed + blocked) is greater than a specific value (eg totalCount &gt;= 500).</P> <P>I have tried using separate <STRONG>stats count by [field] as [name]</STRONG> statements then using eval to add them together but I can't get the results I'm wanting which is the stacked column graph by src_location showing allowed &amp; blocked.</P> <P>Any suggestions greatly appreciated.</P> Wed, 30 Sep 2020 02:10:58 GMT balcv 2020-09-30T02:10:58Z https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480538#M134663 <P>I have the following search</P> <PRE><CODE>index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) | chart count by src_location,action </CODE></PRE> <P>This results in a nice stacked column chart showing actions (allowed &amp; blocked) per src_location.<BR /> What I need to do is only show those src_locations where the total count (allowed + blocked) is greater than a specific value (eg totalCount &gt;= 500).</P> <P>I have tried using separate <STRONG>stats count by [field] as [name]</STRONG> statements then using eval to add them together but I can't get the results I'm wanting which is the stacked column graph by src_location showing allowed &amp; blocked.</P> <P>Any suggestions greatly appreciated.</P> Wed, 30 Sep 2020 02:10:58 GMT https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480538#M134663 balcv 2020-09-30T02:10:58Z https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480539#M134664 <P>@balcv ,</P> <P>Try</P> <PRE><CODE>index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) | chart count by src_location,action | addtotals row=true fieldname=totalCount | where totalCount &gt;= 500|fields - totalCount </CODE></PRE> Fri, 13 Sep 2019 03:18:28 GMT https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480539#M134664 renjith_nair 2019-09-13T03:18:28Z https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480540#M134665 <P>Awesome. Thanks for that @renjith.nair</P> Fri, 13 Sep 2019 03:32:44 GMT https://community.splunk.com/t5/Splunk-Search/Using-where-in-search/m-p/480540#M134665 balcv 2019-09-13T03:32:44Z