Splunk Search

Filtering results by count on one item

pitshot
Explorer

What I am trying to accomplish.
Search for three items X Y and Z .
Count the total number of events for each X Y Z .
Display any results from X or Y and only display Z when the count is above 1.

I am having trouble with the last part of this search. I am not sure how to process the count of the Z result and drop results below the count of 1. I have tried several techniques but I have not had any success in putting the searches together.

Tags (1)
1 Solution

strive
Influencer

Try this

index=MyIndex (EventType="X" OR EventType="Y") | stats count as Count by EventType | append [search index=MyIndex EventType="Z" | stats count as Count by EventType | where Count > 1]

View solution in original post

strive
Influencer

Try this

index=MyIndex (EventType="X" OR EventType="Y") | stats count as Count by EventType | append [search index=MyIndex EventType="Z" | stats count as Count by EventType | where Count > 1]

pitshot
Explorer

Perfect, I was making the search into something way to complicated. The append works great Thanks

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...