topic Re: How do I show stats where count is greater than 10, but without showing count field? in Splunk Search

How do I show stats where count is greater than 10, but without showing count field?

mplautz — Tue, 23 Dec 2014 21:54:31 GMT

I have an example query where I show the elapsed time for all log lines where detail equals one of three things, and I show the stats of the elapsed field:

normalized_source=http_plugin (detail=/online/public/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | 
stats avg(elapsed), median(elapsed), p90(elapsed) by detail

So an issue I run into is it matches both where detail equals "successfulLogin" as well as "successfullogin" (with a second lowercase L). The "successfullogin" exists in the logs because of tests done against the production environment, but doesn't reflect useful data. In fact, there are only 2 or 3 logs of the "successfullogin" whereas there are 40,000+ of all the other. I'd like to remove that result so I just show the three, because I am interested in the visualization of this (and I don't want a random 4th result). There are 3 ways I could go about this:
1. Limit the results to three
2. Make the detail= case sensitive
3. Show only the results where count is greater than, say, 10.

I don't really know how to do any of these (I'm pretty new to Splunk). I have tried option three with the following query:

normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10

However, this includes the count field in the results. This is fine except when I turn this into a bar chart, the count column skews the other values (since it is so much larger). How could I redo that query to omit the count field?

(And for extra credit, how would I redo the first query to do option 1 and 2? I keep trying to modify the query and does not give me the expected results.)

Re: How do I show stats where count is greater than 10, but without showing count field?

ppablo — Tue, 23 Dec 2014 22:00:34 GMT

Hi @mplautz

Can you try using the fields command in your 2nd search query and see if it works for you?

normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 | fields - count

Re: How do I show stats where count is greater than 10, but without showing count field?

mplautz — Tue, 23 Dec 2014 22:05:15 GMT

That's it, it worked! I suppose I should have been more thorough in my Google searches to try to see how to remove columns from results.

Re: How do I show stats where count is greater than 10, but without showing count field?

mplautz — Tue, 23 Dec 2014 22:06:13 GMT

I saw you posted this an answer before it was a comment. Now I cannot give you "correct answer" credit.

Re: How do I show stats where count is greater than 10, but without showing count field?

ppablo — Tue, 23 Dec 2014 22:08:01 GMT

Just converted it back to an answer 🙂 glad it worked!