Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter the number of less than 1000 of the data

RICKZHANG
Engager
‎11-23-2016 01:51 AM

Filter the number of less than 1000 of the data

example:

index=app sourcetype=EPC*Event* level=ERROR |rex field=requestUrl  mode=sed "s/\\d|\d\|%\/|\$amps;\/|\)\/|\(\/|%|\$|\d|\(|\)/@/g"|stats count as Counts by eventId,eventName,level,sourcetype,requestUrl|sort -Counts| head 30|rename sourcetype As Sourcetype,eventId As Eventcode,eventName as Description|fields Sourcetype,Eventcode,Counts,Description,requestUrl

how to filter the number of Counts less than 1000 of the data?
Thanks!

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-23-2016 04:53 AM

Perhaps this is what you are looking for?

index=app sourcetype=EPC*Event* level=ERROR |rex field=requestUrl  mode=sed "s/\\d|\d\|%\/|\$amps;\/|\)\/|\(\/|%|\$|\d|\(|\)/@/g"|stats count as Counts by eventId,eventName,level,sourcetype,requestUrl|sort -Counts| where Counts >= 1000 | head 30|rename sourcetype As Sourcetype,eventId As Eventcode,eventName as Description|fields Sourcetype,Eventcode,Counts,Description,requestUrl
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PPape
Contributor
‎11-23-2016 04:53 AM

you could use the where clause

index=app sourcetype=EPC*Event* level=ERROR |rex field=requestUrl mode=sed "s/\\d|\d\|%\/|\$amps;\/|)\/|(\/|%|\$|\d|(|)/@/g"|stats count as Counts by eventId,eventName,level,sourcetype,requestUrl|sort -Counts| head 30|rename sourcetype As Sourcetype,eventId As Eventcode,eventName as Description|fields Sourcetype,Eventcode,Counts,Description,requestUr | where Counts < 1000
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...