Splunk Search

Distinct count higher than a value ?

Path Finder

Hello all,

I am trying to search for distinct count higher than a value.
Below is what I tried, obfuscated :

stats dc(var1) as some_name by var2 which returns a column of values , say {1, 55, 2200, 45, 100, .. etc}
How do I extract from that column values higher than a "limit" ?

I tried

stats dc(var1) as some_name by var2 | search some_name > limit, but it doesn't work

Ideas ?

Tags (3)
1 Solution

Legend

If limit is a field, you can't use search - you need to use where

yoursearchhere
stats dc(var1) as some_name by var2 
| where some_name > limit

If limit is a literal, you can use either search or where

yoursearchhere
stats dc(var1) as some_name by var2 
| search some_name > 7

View solution in original post

Legend

If limit is a field, you can't use search - you need to use where

yoursearchhere
stats dc(var1) as some_name by var2 
| where some_name > limit

If limit is a literal, you can use either search or where

yoursearchhere
stats dc(var1) as some_name by var2 
| search some_name > 7

View solution in original post

Path Finder

Thanks, it worked like a charm, it seems I have to RTFM more often 🙂

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!