I'm pretty new to Splunk. I have to create a search/alert and am having trouble with the syntax. This is what I'm trying to do:
index=myindex field1="AU" field2="L"
|stats count by field3 where count >5 OR count by field4 where count>2
Any help is greatly appreciated.
stats command does not have a
where clause and only has a single
What are you trying to accomplish with your sample query? Once you explain what results you want to get, we may be able to help you get them.
I am trying to find events that match field1 and field2, and match field3 if there are more than 5 or match field4 if there are more than 2.
Thanks for the info.
Probably you are looking for something similar?
index=myindex field1="AU" field2="L" |stats dc(field3) as field3,dc(field4) as field4 |where (field3>5 OR field4>2)
index=myindex field1="AU" field2="L" | fillnull value="N/A" field3 field4 |stats count BY field3 field4 | multireport [ stats sum(count) AS f3count BY field3 | where f3count>5] [ stats sum(count) AS f4count BY field4 | where f4count>2]