https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140756#M38925 <P>Yes, that works! I think I was trying to over complicate it!</P> Mon, 14 Jul 2014 09:31:15 GMT Sam2 2014-07-14T09:31:15Z https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140754#M38923 <P>Hello all, </P> <P>I have this search:</P> <P>...| streamstats window=1 global=false current=f last(_time) as next_time by cs_host,username| eval gap = next_time - _time |search gap&gt;350| stats list(gap) by cs_host,username</P> <P>which draws a nice table, grouped by list(gap). However, I'd like to remove any rows in the table that only have one results of list(gap), but am struggling with the syntax. Can anyone help please?</P> Mon, 28 Sep 2020 17:03:36 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140754#M38923 Sam2 2020-09-28T17:03:36Z https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140755#M38924 <P>How about this:</P> <PRE><CODE>... | streamstats window=1 global=false current=f last(_time) as next_time by cs_host,username| eval gap = next_time - _time | search gap&gt;350 | stats count list(gap) by cs_host username | where count &gt; 1 </CODE></PRE> Mon, 14 Jul 2014 08:49:06 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140755#M38924 martin_mueller 2014-07-14T08:49:06Z https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140756#M38925 <P>Yes, that works! I think I was trying to over complicate it!</P> Mon, 14 Jul 2014 09:31:15 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-based-on-quantity-of-list-results/m-p/140756#M38925 Sam2 2014-07-14T09:31:15Z