hello martin

can you give an update on this

Thanks a lot for your help in advance

Hi martin ,

Need your help again .The count provided for the event with the threshold value is incorrect.
It gives the value as 1 with a flat sparkline , when there were 5 actually occurences in an hour

I need the count to be displayed as 5 and not as 1

Lets assume There were totally 10 events in 24 hr period. the final table should be like below

Eventname count

Event 1 -1
Event 2- 1
Event 30 the threshold event where count exceeds 3 in an hour - 5
event 4 .. -1

Wonderful.

Thanks a lot for your help , Martin.

I am now able to get the results that I wanted

OR is the logical OR operator, yielding true if at least one of its operands is true.

http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/where

Now i lost the results of the stats search for 2nd eventtype,2nd eventype , high mem utization. What does function operator OR do here

Maybe i am doing something wrong , can you post the entire query here

That's exactly what this does, it leaves the disk alone and filters the other event type. If you have more than one non-filtered event type you can also use this:

... | where NOT event-type="high mem-utilization" OR count > 3

Martin, i need to filter by count only for 2nd eventype , high mem utization. all the other eventypes need to be as they are

Be smarter about your where condition then:

... | where event-type="diskfailure" OR count > 3

That'll keep all diskfailure results and filter by count for the rest.

I added where count > 3 and it removes all the results of the first eventtype whose count is less than 3
I need this to be applied only to the 2nd eventtype, not to the first eventtype

You can add any where command after the stats to filter by whatever you need.

It still show results where count is less than 3 , is there a way to filter them out from the table

It's right in the answer I first posted, see stats count by hostname event-type.

Hi martin , please let me know the query to group by event type to be able to distinguish between the two

Hi martin , please let me know the query to group by event type to be able to distinguish between the two

Please start using the comment function to post comments rather than posting comments as an answer.

You're seeing weird results because you're running a second stats over partial raw data and partial stats data. You'll want to group by event type to be able to distinguish between the two, which leads you back to my original search.

I have added the pipe but i am seeing results of the second eventtype
where count has not exceeded threshold of 3 in an hour

There's a pipe missing before the last stats.

I am not able to run a stats command in the end

index=server event-type=diskfailure earliest=-24h | append [index=server event-type=high mem-ultilzation | stats count by hostname | where count > 3] stats count by hostname

It gives the error
Error in 'append' command: The last argument must be a subsearch.