topic Re: How do I filter my search to only display users that have appeared a minimum of 5 times? in Splunk Search

How do I filter my search to only display users that have appeared a minimum of 5 times?

bspier1 — Tue, 12 Jan 2016 14:53:25 GMT

Hi There,

I have a field that identifies users, e.g. userID. I also have a field that is common in every log, e.g. command.

How can I create a timechart that doesn't return all users, rather, just users who have appeared a minimum of five times?

I tried the following search, but it didn't return any results:

stats count(command) as Uses by userID | Where Uses>5 | timechart span=1d dc(userID)

Thanks!

Re: How do I filter my search to only display users that have appeared a minimum of 5 times?

javiergn — Tue, 12 Jan 2016 15:58:43 GMT

Time chart needs a time field in order to work.
Try the following instead:

| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5 
| timechart span=1d dc(userID)

Or this:

| yoursearch
| timechart span=1d count by userID
| Where count > 5

Re: How do I filter my search to only display users that have appeared a minimum of 5 times?

bspier1 — Tue, 12 Jan 2016 16:24:29 GMT

I couldn't get either query to work.

I think the Where clause is the problem in both queries. I notice that 'where' is supposed to only be used when relating two fields. Maybe that's a problem with using where?

Re: How do I filter my search to only display users that have appeared a minimum of 5 times?

javiergn — Tue, 12 Jan 2016 16:29:01 GMT

You can use both "search count > 5" or "where count > 5"
Try search instead but both should work just fine.

Re: How do I filter my search to only display users that have appeared a minimum of 5 times?

javiergn — Tue, 12 Jan 2016 16:30:00 GMT

If none work, can you paste your whole query here?

Re: How do I filter my search to only display users that have appeared a minimum of 5 times?

bspier1 — Tue, 12 Jan 2016 16:38:15 GMT

I was able to get the first query to work if I replaced 'search' instead of 'where'. I think using 'where' was really my problem, and now it works much better with 'search'. Thanks so much for the tip, I'm hanging onto your first query above.

Re: How do I filter my search to only display users that have appeared a minimum of 5 times?

ppablo — Tue, 12 Jan 2016 19:15:55 GMT

Hi @bspier1

I'm glad you were able to find a solution through @javiergn 🙂 Please don't forget to resolve your questions by clicking "Accept" directly below the answer. This will help make it easier for other users finding an answer to the same/similar question. Thanks!

Patrick