topic Re: How do I count the total in a subsearch with only totals that are greater than 100. in Splunk Search

How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek — Fri, 10 Jul 2015 14:38:04 GMT

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source

Tried a subsearch but, no joy-

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | search | stats count by  Source, Total | where count >100

Re: How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek — Fri, 10 Jul 2015 14:44:48 GMT

that is actually two separate searches, It all got mushed together when I posted 🙂

Re: How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek — Fri, 10 Jul 2015 15:09:23 GMT

the output looks like this:
Source-----------------------Destination-----------------------------subtotal----------------Total
1.1.1.1 2.2.2.2 3 5
3.3.3.3 2

Re: How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek — Fri, 10 Jul 2015 15:10:21 GMT

Again I posted 2 seperate searches to show what I have tried, I dont run BOTH searches

Re: How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek — Fri, 10 Jul 2015 15:46:04 GMT

Sorry if this seems confusing. really what I need is to only show events that are greater than 100 in the total column.

Re: How do I count the total in a subsearch with only totals that are greater than 100.

woodcock — Fri, 10 Jul 2015 15:59:26 GMT

If your first search works, then this should do it:

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count

BTW, this is not called a subsearch, and it confused the question very much that you used that term. I suppose this might be called a postsearch...?

Re: How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek — Fri, 10 Jul 2015 16:45:59 GMT

That works thanks!!