Solved: Function results and evaluating them

rudy_dom · ‎10-03-2013

Soo - I got this great search to show how many hosts at each location we are getting logs from. I want to only display the ones that have less than 3 reporting in.
This is what I have so far:

host=host2 OR host=*host1 OR host=otherhost | rex field=host "(?\d{4})" | fields fruit host | stats distinct_count(host) by fruit | sort num(distinct_count(host))

I thought I could add this:
| eval (distinct_count(host)) < 3

But it does not work.
I guess I need to assign a key to the value derived from "stats distinct_count(host) by fruit" so I can use that key for the evaluation. where does not work either.

Rudy

sdaniels · ‎10-03-2013

So you tried this:

host=host2 OR host=host1 OR host=otherhost* | rex field=host "(?<fruit>d{4})" | fields fruit host | stats distinct_count(host) as myCount by fruit | sort -myCount

and then you could add

 where myCount < 3 or | search myCount < 3

View solution in original post

sdaniels · ‎10-03-2013

So you tried this:

host=host2 OR host=host1 OR host=otherhost* | rex field=host "(?<fruit>d{4})" | fields fruit host | stats distinct_count(host) as myCount by fruit | sort -myCount

and then you could add

 where myCount < 3 or | search myCount < 3

Function results and evaluating them

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)