Count as a limiting factor for results of a nested query?

fncds3 — Mon, 10 Sep 2012 16:20:19 GMT

I'm attempting to identify the top 5 hosts responsible for my errors via the following query:

sourcetype=logs 
[ search sourcetype=logs 
| top 0 errors showperc=false showcount=false ] 
| top 5 hosts by errors showperc=false

This query works, but gives me results for a ton of errors. I would like to limit the results to only errors per host that are greater than a count of 10. However when I add the following line to my query, I get no results:

| search count > 10

I know that I have results that are > 10, so this logic is valid, but I cannot figure out how to properly apply it.

Here's a sample of what my results look like:

 - host  - error - count 
 - APP01 - err09 - 50 
 - APP01 - err07 - 38 
 - APP01 - err05 - 27 
 - APP01 - err10 - 20 
 - APP01 - err12 - 4 
 - APP02 - err15 - 33 
 - APP02 - err60 - 21 
 - APP02 - err09 - 8

...

Any ideas on how to remove the rows with counts that are not greater than 10?

Re: Count as a limiting factor for results of a nested query?

kristian_kolb — Mon, 10 Sep 2012 18:18:06 GMT

Why the subsearch?

sourcetype=logs | stats c by error, host | search c > 10

Perhaps there is some simplification you've made regarding the actual logs. If this does not work, please post a few sample lines of actual log.

hope this helps,

Kristian

topic Re: Count as a limiting factor for results of a nested query? in Splunk Search

Count as a limiting factor for results of a nested query?

Re: Count as a limiting factor for results of a nested query?