Splunk Enterprise Security

count/ subtotal for stats values.

shivarpith
Path Finder

Hi,

We have a query that brings up the sourcetypes in correlated search using "tstats" Example: tsats datamodel xyz values(sourcetype) as sourcetype by host

result

sourcetype host


sourcetype 1 ABCDtest
sourcetype 2
.
.
.
.
sourcetype 1 ABCDtest

task here is i need tehe events where sourcetypes listed are more than one for a host and show up only those

Requirement

sourcetype host


sourcetype 1 ABCDtest
sourcetype 2

it should be something like addtotals or sum of sourcetype and like where sourcetype>1

Thanks in advance.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Add dc(sourcetype) as dc to your tstats, and add | where dc > 1 to your search pipeline.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Add dc(sourcetype) as dc to your tstats, and add | where dc > 1 to your search pipeline.

shivarpith
Path Finder

Thanks that works 🙂

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...