topic Re: Conditional Filter count results in chart in Splunk Search

Conditional Filter count results in chart

dchodur — Mon, 22 Apr 2013 16:07:17 GMT

index=rhwindows sourcetype="WinEventLog:System" Type=Error OR Type=Warning NOT (*PrintSpooler OR *SpoolerWin32SPL) earliest=-24h@h latest=now | chart count over host by SourceName

Hopefully simple one:
Given the search above how do I only display counts that are greater then one for SourceName of a host.

Thanks.

Re: Conditional Filter count results in chart

bmacias84 — Mon, 22 Apr 2013 16:34:08 GMT

I would use a where clause and stats. Keep in mind I am doing this off the cuff.



...|stats count by host, SourceName| where count>5 | chart count over host by SourceName

This may get you closer. Also might work better with subsearch.



...|stats count by host, SourceName| streamstats sum(count) as total_count by host |selfjoin  host |where total_count>5 | chart count over host by SourceName

This should do what you want or give you an idea. Dont forget to accept and/or vote up anwser that help.

Re: Conditional Filter count results in chart

dchodur — Mon, 22 Apr 2013 21:15:28 GMT

Apprechiate the response still not acting like I want. Maybe an example best.

    host    DnsApi  Kerberos    Microsoft-Windows-GroupPolicy   Microsoft-Windows-Resource-Exhaustion-Detector  Microsoft-Windows-Service Control Manager   Microsoft-Windows-Time-Service  PlugPlayManager     Print   Service Control Manager Eventlog Provider   TermServDevices
1   CLAIMS  0   0   0   0   0   0   0   2   0   0
2   DIVSRV  0   0   0   0   0   6   0   0   0   0
3   MQVMa   0   0   0   0   0   0   226 0   0   0
4   MQVMb   0   0   0   0   0   0   0   0   0   1
5   PASSEXTN1   0   0   28  0   0   0   0   0   0   0
6   RHEDOC  0   0   0   0   0   0   0   0   0   1
7   VIPPsrv 1   0   0   0   0   7   0   0   0   0

I want to drop off systems like MQVMb, RHEDOC since they only have a count of one in any of the columns.

When I do the suggested way or anything where I seem to conditional count I loose systems lineMQVMa and the 226 or PASSEXTn1 28.

Sure I am just not building out the search correctly from the git go.

Re: Conditional Filter count results in chart

bmacias84 — Mon, 22 Apr 2013 21:55:55 GMT

So you want to drop any host whos total sourceName count is less than 5?

Re: Conditional Filter count results in chart

bmacias84 — Mon, 22 Apr 2013 22:10:39 GMT

@dchodur,
I've added an update.

Re: Conditional Filter count results in chart

dchodur — Tue, 23 Apr 2013 17:03:09 GMT

Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Re: Conditional Filter count results in chart

dchodur — Tue, 23 Apr 2013 17:03:26 GMT

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Re: Conditional Filter count results in chart

dchodur — Tue, 23 Apr 2013 17:03:47 GMT

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Re: Conditional Filter count results in chart

dchodur — Tue, 23 Apr 2013 17:03:51 GMT

If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.

Trying to make it easier to read and see issue spots.

Re: Conditional Filter count results in chart

bmacias84 — Tue, 23 Apr 2013 17:07:38 GMT

@dchodur, did you try my new search in my answer using streamstats?

Re: Conditional Filter count results in chart

dchodur — Mon, 06 May 2013 20:17:11 GMT

Finally got back to this:

Found this post:
http://splunk-base.splunk.com/answers/56425/counting-distinct-field-values-and-dislaying-count-and-value-together

Using this idea I did something like this.
| stats count by SourceName host | search count > 2 | table SourceName, host, count | sort -count

Not the way I really wanted it but it works.

Re: Conditional Filter count results in chart

vyhmeister — Wed, 19 Feb 2014 17:40:17 GMT

I had a similar need, this worked for me:

...| stats count as Total by host, SourceName | search Total > 5 | chart last(Total) over host by SourceName