Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Filter count?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to output just names where the count=1.
Original Search
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | chart values(Permanent_Port_Name) by Aliname
Tried variations of the below- most complain that the count function is not supported.
I've checked the documentation & havent found much on how to do this.
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | where count(Aliname)=1 | chart values(Permanent_Port_Name) by Aliname
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | search count(Aliname)=1 | chart values(Permanent_Port_Name) by Aliname
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | eval FAIL=count(Aliname) | where FAIL=1 | chart values(Permanent_Port_Name) by Aliname
Only want to chart where my count=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aliases="*hba*"
| rex "Aliases:\s+(?<Aliname>\S+)_hba"
| chart distinct_count(Permanent_Port_Name) as PortNameCount values(Permanent_Port_Name) by Aliname
| where PortNameCount = 1
This will work, and I think it is what you want. Maybe.
There were several problems with your earlier attempts. First, the where command does not have a count function. Second, the values function returns a list of the values, not a count. The eval command does not have a count function either.
A count can be computed using the stats, chart or timechart commands. However, the count is the number of events - not the number of unique values. The distinct_count function returns the number of unique values of a field. However, you must give the field a name, by using the as clause, if you want to refer to the field in subsequent commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aliases="*hba*"
| rex "Aliases:\s+(?<Aliname>\S+)_hba"
| chart distinct_count(Permanent_Port_Name) as PortNameCount values(Permanent_Port_Name) by Aliname
| where PortNameCount = 1
This will work, and I think it is what you want. Maybe.
There were several problems with your earlier attempts. First, the where command does not have a count function. Second, the values function returns a list of the values, not a count. The eval command does not have a count function either.
A count can be computed using the stats, chart or timechart commands. However, the count is the number of events - not the number of unique values. The distinct_count function returns the number of unique values of a field. However, you must give the field a name, by using the as clause, if you want to refer to the field in subsequent commands.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
