Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Conditional Filter count results in chart
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Conditional Filter count results in chart
dchodur
Path Finder
04-22-2013
09:07 AM
index=rhwindows sourcetype="WinEventLog:System" Type=Error OR Type=Warning NOT (*PrintSpooler OR *SpoolerWin32SPL) earliest=-24h@h latest=now | chart count over host by SourceName
Hopefully simple one:
Given the search above how do I only display counts that are greater then one for SourceName of a host.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vyhmeister
New Member
02-19-2014
09:40 AM
I had a similar need, this worked for me:
...| stats count as Total by host, SourceName | search Total > 5 | chart last(Total) over host by SourceName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dchodur
Path Finder
05-06-2013
01:17 PM
Finally got back to this:
Found this post:
http://splunk-base.splunk.com/answers/56425/counting-distinct-field-values-and-dislaying-count-and-v...
Using this idea I did something like this.
| stats count by SourceName host | search count > 2 | table SourceName, host, count | sort -count
Not the way I really wanted it but it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dchodur
Path Finder
04-23-2013
10:03 AM
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bmacias84
Champion
04-23-2013
10:07 AM
@dchodur, did you try my new search in my answer using streamstats?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dchodur
Path Finder
04-23-2013
10:03 AM
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dchodur
Path Finder
04-23-2013
10:03 AM
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dchodur
Path Finder
04-23-2013
10:03 AM
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dchodur
Path Finder
04-22-2013
02:15 PM
Apprechiate the response still not acting like I want. Maybe an example best.
host DnsApi Kerberos Microsoft-Windows-GroupPolicy Microsoft-Windows-Resource-Exhaustion-Detector Microsoft-Windows-Service Control Manager Microsoft-Windows-Time-Service PlugPlayManager Print Service Control Manager Eventlog Provider TermServDevices
1 CLAIMS 0 0 0 0 0 0 0 2 0 0
2 DIVSRV 0 0 0 0 0 6 0 0 0 0
3 MQVMa 0 0 0 0 0 0 226 0 0 0
4 MQVMb 0 0 0 0 0 0 0 0 0 1
5 PASSEXTN1 0 0 28 0 0 0 0 0 0 0
6 RHEDOC 0 0 0 0 0 0 0 0 0 1
7 VIPPsrv 1 0 0 0 0 7 0 0 0 0
I want to drop off systems like MQVMb, RHEDOC since they only have a count of one in any of the columns.
When I do the suggested way or anything where I seem to conditional count I loose systems lineMQVMa and the 226 or PASSEXTn1 28.
Sure I am just not building out the search correctly from the git go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bmacias84
Champion
04-22-2013
03:10 PM
@dchodur,
I've added an update.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bmacias84
Champion
04-22-2013
02:55 PM
So you want to drop any host whos total sourceName count is less than 5?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bmacias84
Champion
04-22-2013
09:34 AM
I would use a where clause and stats. Keep in mind I am doing this off the cuff.
...|stats count by host, SourceName| where count>5 | chart count over host by SourceName
This may get you closer. Also might work better with subsearch.
...|stats count by host, SourceName| streamstats sum(count) as total_count by host |selfjoin host |where total_count>5 | chart count over host by SourceName
This should do what you want or give you an idea. Dont forget to accept and/or vote up anwser that help.
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
