Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

count/ subtotal for stats values.

shivarpith
Path Finder
‎03-21-2016 06:33 AM

Hi,

We have a query that brings up the sourcetypes in correlated search using "tstats" Example: tsats datamodel xyz values(sourcetype) as sourcetype by host

result

sourcetype host

sourcetype 1 ABCDtest
sourcetype 2
.
.
.
.
sourcetype 1 ABCDtest

task here is i need tehe events where sourcetypes listed are more than one for a host and show up only those

Requirement

sourcetype host

sourcetype 1 ABCDtest
sourcetype 2

it should be something like addtotals or sum of sourcetype and like where sourcetype>1

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2016 10:55 AM

Add dc(sourcetype) as dc to your tstats, and add | where dc > 1 to your search pipeline.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2016 10:55 AM

Add dc(sourcetype) as dc to your tstats, and add | where dc > 1 to your search pipeline.

Reply
Solved! Jump to solution

shivarpith
Path Finder
‎03-21-2016 02:08 PM

Thanks that works 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...