Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

first question ever - help with greater than - yes I searched answers/docs

mbond81
Engager
‎10-15-2015 08:08 PM

Sorry for the newb question, but I'm trying to alert based on "results" greater than a threshold of say 350 for a particular field. The field is not a numerical value field, so I can't simply use the > sign in the search string. When I tell it <search string> | chart count by <field> WHERE <field> > 350 , it doesn't work and still returns results with higher and lower counts as if my instructions weren't even there.
Here's my search, if needed: index=blah sourcetype=blah "logged in" | stats count by location
returns:
location count
abq 434
ama 376
anc 260
boi 393

I only want to see results of locations with a "logged in" count greater than 350.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-16-2015 12:24 AM

Hi,

append this to your search:

... | where count > 350

to somthing like this:

index=blah sourcetype=blah "logged in" | stats count by location | where count > 350

Greetings

Tom

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mbond81
Engager
‎10-16-2015 07:36 AM

I hate it when simple things get the best of me. (Happens more than I like to admit)
Thanks for the help, fellas! The fix: I was missing the pipe in front of the 'where'. It works as | stats count as logins by | where logins > 250
So easy a caveman could do it. . . lucky for me!

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎10-16-2015 12:27 AM

Hi mbond81,

I'm not sure if chart really supports this; the docs are not so clear about it.
Nevertheless you got something wrong here; your example should use count in the where clause and not field :

<search string> | chart count by <field> | where count > 350

If you want to use field then do something like this:

<search string>  <field> > 350 | chart count by <field>

timechart does support the use of where (see docs after example 4 http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Examples ) :

<search string> | timechart count by <field> WHERE count > 350

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎10-16-2015 12:24 AM

Hi,

append this to your search:

... | where count > 350

to somthing like this:

index=blah sourcetype=blah "logged in" | stats count by location | where count > 350

Greetings

Tom

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...