Query results based on stats

mmletzko — Sat, 05 Feb 2011 00:28:57 GMT

I would like to produce results from a query of syslog, based on the number of events using "stats", but show the results in the console, and not the "counts".

For example, the statement "dual | stats count by host | where count > 50" gives me a list of any device with greater than 50 hits of the word "dual". In the results window, it shows the list of routers and their counts...which is still useful data, but not what I'm looking for.

I'm looking for the results in the window to be the actual syslog messages...without having to click something else first.

Is this possible? Seems like it should be simple, and I've tried many iterations of commands, but haven't come up with the right way to do it.

Thanks!!

Re: Query results based on stats

sideview — Sat, 05 Feb 2011 01:11:21 GMT

Sounds like you want ALL the events from the hosts that have 'dual' in their events more than 50 times?

If so, then you can do this with a subsearch, like so:

* [dual | stats count by host | where count > 50 | fields host]

Since in this case the events you want are a subset of the same events you're getting off disk in the subsearch, you can probably use streamstats to kind of paint the 'counts' onto the events themselves and then just filter without ever transforming the rows.

topic Query results based on stats in Splunk Search

Query results based on stats

Re: Query results based on stats