https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606447#M210924 <P>This was exactly what I was looking for, thank you very much!</P><P>// G</P> Thu, 21 Jul 2022 08:23:58 GMT fatsug 2022-07-21T08:23:58Z https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606440#M210920 <P>Hello community</P><P>I am trying to combine two different things and cannot figure out how. I am looking at a certain action and counting how many times this is observed per IP address and day. Then I’m plotting per IP by day to try to find recurring events based on IP address. I got this far:</P><PRE>&lt;base-search&gt; earliest="-7d@d" latest="@d"<BR />| chart count over ip by date_wday</PRE><P>Which does exactly what is intended, tough the details are lost as there are a lot if single events per IP address. So, I’d like to filter out any IP address with only 1 event during the period (here one week).</P><P>This works fine for filtering:</P><PRE>| stats count as sum by ip<BR />| search summa &gt; 1</PRE><P>But then I loose the details needed for the chart part. I figured maybe I could use eval to filter out based on total count but could not put together anything which worked. Even when I tried to combine stats and eval I either failed or ended up with something which could not be presented graphically.</P><P>Any suggestions are more than appreciated</P><P>Best regards</P><P>// G</P> Thu, 21 Jul 2022 08:08:44 GMT https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606440#M210920 fatsug 2022-07-21T08:08:44Z https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606442#M210921 <P>Hi,</P><P>Perhaps you can do it with timechart and a where clause. Something like:</P><LI-CODE lang="markup">&lt;base-search&gt; earliest="-7d@d" latest="@d" | timechart span=1d count as sum by ip where sum &gt; 1</LI-CODE> Thu, 21 Jul 2022 08:15:03 GMT https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606442#M210921 javiergn 2022-07-21T08:15:03Z https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606443#M210922 <P>You can try:<BR /><BR />| eventstats count by IP<BR />| where count &gt; 1</P><P>&nbsp;</P> Thu, 21 Jul 2022 08:17:26 GMT https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606443#M210922 JacekF 2022-07-21T08:17:26Z https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606447#M210924 <P>This was exactly what I was looking for, thank you very much!</P><P>// G</P> Thu, 21 Jul 2022 08:23:58 GMT https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606447#M210924 fatsug 2022-07-21T08:23:58Z https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606451#M210927 <P>I could and your suggestions works so a big thank you! However, this gives number of hits per IP by day, I wanted to see number of hits per day by IP.</P><P>I started out with timechart though as I wanted a bargraph showing if any IP performed the same action on any two or more days in the past week. I guess you could "switch" the x-axis for timechart (?) though it just seemed more appropriate to use chart.</P><P>Again, thank you very much! I'll hang an to that combination for later use!</P><P>Best regards</P><P>// G</P> Thu, 21 Jul 2022 08:28:24 GMT https://community.splunk.com/t5/Splunk-Search/Excluding-daily-values-in-chart-if-less-then-1/m-p/606451#M210927 fatsug 2022-07-21T08:28:24Z