Solved: Filtering results by count on one item

pitshot · ‎07-20-2014

What I am trying to accomplish.
Search for three items X Y and Z .
Count the total number of events for each X Y Z .
Display any results from X or Y and only display Z when the count is above 1.

I am having trouble with the last part of this search. I am not sure how to process the count of the Z result and drop results below the count of 1. I have tried several techniques but I have not had any success in putting the searches together.

strive · ‎07-20-2014

Try this

index=MyIndex (EventType="X" OR EventType="Y") | stats count as Count by EventType | append [search index=MyIndex EventType="Z" | stats count as Count by EventType | where Count > 1]

View solution in original post

strive · ‎07-20-2014

Try this

index=MyIndex (EventType="X" OR EventType="Y") | stats count as Count by EventType | append [search index=MyIndex EventType="Z" | stats count as Count by EventType | where Count > 1]

pitshot · ‎07-20-2014

Perfect, I was making the search into something way to complicated. The append works great Thanks

Filtering results by count on one item

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

Filtering results by count on one item

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk