topic where count is > 5 in Splunk Search

where count is > 5

subtrakt — Fri, 21 Feb 2014 20:53:39 GMT

Hi Everyone - I'm trying to reduce noise on some of my reports. Certain messages with "unreadable" are coming in and I only want them on the report if the the count is > 5. At the same time, I don't want to ignore everything else that is < 5 that does not include "unreadable"...

Here's what i thought made sense.
stats dc(MESSAGE) | where MESSAGE="unreadable" > 5

Re: where count is > 5

martin_mueller — Fri, 21 Feb 2014 21:28:07 GMT

I don't quite understand your example, so here's how you would filter events based on your description:

... | where NOT (count <= 5 AND match(MESSAGE, "unreadable"))

That will drop events if the count is less or equal five and the message contains "unreadable".

Re: where count is > 5

petermuller — Fri, 21 Feb 2014 22:05:35 GMT

I'd like to point out for the original poster that your method assumes that the stats command is "stats count by MESSAGE" instead of "stats dc(MESSAGE)", which will count the number of times a particular message in MESSAGE is encountered (which I believe is what they want) instead of counting the number of different values that MESSAGE holds (which is in the example, but not necessarily what they are asking for).

Re: where count is > 5

martin_mueller — Fri, 21 Feb 2014 22:48:48 GMT

Well, filtering based on message content isn't going to be possible after a stats dc(message) because that just yields a single number.

Re: where count is > 5

subtrakt — Sat, 22 Feb 2014 20:47:13 GMT

Martin, does stats have to be in the query before the '| where'?

Re: where count is > 5

martin_mueller — Sat, 22 Feb 2014 20:50:45 GMT

All the where needs is the two fields referenced - where they come from doesn't matter.

If you compute them using stats then yes, the stats must be somewhere before the where.

Re: where count is > 5

subtrakt — Sat, 22 Feb 2014 21:01:55 GMT

nevermind, didn't read peter's post. Thanks everyone.