Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count as a limiting factor for results of a nested query?

fncds3
Explorer
‎09-10-2012 09:20 AM

I'm attempting to identify the top 5 hosts responsible for my errors via the following query:

sourcetype=logs 
[ search sourcetype=logs 
| top 0 errors showperc=false showcount=false ] 
| top 5 hosts by errors showperc=false

This query works, but gives me results for a ton of errors. I would like to limit the results to only errors per host that are greater than a count of 10. However when I add the following line to my query, I get no results:

| search count > 10

I know that I have results that are > 10, so this logic is valid, but I cannot figure out how to properly apply it.

Here's a sample of what my results look like:

 - host  - error - count 
 - APP01 - err09 - 50 
 - APP01 - err07 - 38 
 - APP01 - err05 - 27 
 - APP01 - err10 - 20 
 - APP01 - err12 - 4 
 - APP02 - err15 - 33 
 - APP02 - err60 - 21 
 - APP02 - err09 - 8

...

Any ideas on how to remove the rows with counts that are not greater than 10?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-10-2012 11:18 AM

Why the subsearch? 

sourcetype=logs | stats c by error, host | search c > 10

Perhaps there is some simplification you've made regarding the actual logs. If this does not work, please post a few sample lines of actual log.

hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-10-2012 11:18 AM

Why the subsearch? 

sourcetype=logs | stats c by error, host | search c > 10

Perhaps there is some simplification you've made regarding the actual logs. If this does not work, please post a few sample lines of actual log.

hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...