topic Re: How to use stats count where OR stats count where on different fields? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428731#M168459 <P>Be sure to <CODE>UpVote</CODE> helpful answers even if you can't <CODE>Accept</CODE> one of them.</P> Sun, 15 Jul 2018 13:30:42 GMT woodcock 2018-07-15T13:30:42Z How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428725#M168453 <P>Greetings,</P> <P>I'm pretty new to Splunk. I have to create a search/alert and am having trouble with the syntax. This is what I'm trying to do:<BR /> index=myindex field1="AU" field2="L"<BR /> |stats count by field3 where count &gt;5 OR count by field4 where count&gt;2</P> <P>Any help is greatly appreciated.</P> Sat, 07 Jul 2018 01:39:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428725#M168453 vwilson3 2018-07-07T01:39:37Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428726#M168454 <P>The <CODE>stats</CODE> command does not have a <CODE>where</CODE> clause and only has a single <CODE>by</CODE> clause.</P> <P>What are you trying to accomplish with your sample query? Once you explain what results you want to get, we may be able to help you get them.</P> Sun, 08 Jul 2018 01:17:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428726#M168454 richgalloway 2018-07-08T01:17:08Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428727#M168455 <P>Hi @vwilson3,</P> <P>Probably you are looking for something similar?</P> <PRE><CODE>index=myindex field1="AU" field2="L" |stats dc(field3) as field3,dc(field4) as field4 |where (field3&gt;5 OR field4&gt;2) </CODE></PRE> Sun, 08 Jul 2018 12:50:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428727#M168455 renjith_nair 2018-07-08T12:50:50Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428728#M168456 <P>Maybe this:</P> <PRE><CODE>index=myindex field1="AU" field2="L" | fillnull value="N/A" field3 field4 |stats count BY field3 field4 | multireport [ stats sum(count) AS f3count BY field3 | where f3count&gt;5] [ stats sum(count) AS f4count BY field4 | where f4count&gt;2] </CODE></PRE> Sun, 08 Jul 2018 17:49:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428728#M168456 woodcock 2018-07-08T17:49:14Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428729#M168457 <P>I am trying to find events that match field1 and field2, and match field3 if there are more than 5 or match field4 if there are more than 2.</P> <P>Thanks for the info.</P> Wed, 11 Jul 2018 00:54:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428729#M168457 vwilson3 2018-07-11T00:54:09Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428730#M168458 <P>Still working on this. Thank you for your suggestions!</P> Sat, 14 Jul 2018 17:45:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428730#M168458 vwilson3 2018-07-14T17:45:18Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428731#M168459 <P>Be sure to <CODE>UpVote</CODE> helpful answers even if you can't <CODE>Accept</CODE> one of them.</P> Sun, 15 Jul 2018 13:30:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428731#M168459 woodcock 2018-07-15T13:30:42Z Re: How to use stats count where OR stats count where on different fields? https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428732#M168460 <P>Thank you, woodcock! I appreciate the guidance. I hope I did it correctly.</P> Mon, 16 Jul 2018 13:02:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-stats-count-where-OR-stats-count-where-on-different/m-p/428732#M168460 vwilson3 2018-07-16T13:02:10Z