basic search | timechart span = 5m count by host | where count > 3 for today
10% of the time,the count is greater than 3. I only want those rows to display.
Please and thank you.
try this,
basesearch| bucket _time span=5m|stats count by host , _time| where count >3
View solution in original post
hello
Well you can do that in the timechart itself using where clause. You can try something like this
timechart
where
basic search | timechart span = 5m count by host WHERE count>3
See the example 4 given in this official doc of splunk. http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Timechart#Where_clause_Examples
let me know if this helps!
thank you. This is what I wanted.
