I'm trying to remove outliers from my graphs where a field value appears too many times. My logs are in this format:
name:bob accessDate:July
name:stewart accessDate:July
name:bob accessDate:August
name:bob accessDate:August
name:paul accessDate:November
I want to totally ignore bob (and anyone else who appears more than 2 times), because he's skewing the access logs.
I've been trying to figure out a solution for more hours than I care to admit.
Thanks.
Depending on what you are trying to graph, why don't you add a count to your graph, and simply pipe into search count<2 ?
<base search> | timechart count ... by ... | search count<2
That'll remove any value in your "by" group that has more than 2 occurrences.
If your graphing / search are more complex than that, you can use a subsearch to dynamically identify who has more than 2 occurrences, and then ignore those:
<base search> [search <base search> | stats count by name | search count < 2 | table name] | <rest of your search>
This will return events that have a name from the list of names that occur only once.
Hope this helps
Depending on what you are trying to graph, why don't you add a count to your graph, and simply pipe into search count<2 ?
<base search> | timechart count ... by ... | search count<2
That'll remove any value in your "by" group that has more than 2 occurrences.
If your graphing / search are more complex than that, you can use a subsearch to dynamically identify who has more than 2 occurrences, and then ignore those:
<base search> [search <base search> | stats count by name | search count < 2 | table name] | <rest of your search>
This will return events that have a name from the list of names that occur only once.
Hope this helps
Brilliant, the second example worked a treat. Thank you very much!