- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/aa1e9/aa1e9aeca0c358457c0abf0a3e4d490bdcd5f38c" alt="rudy_dom rudy_dom"
rudy_dom
Engager
10-03-2013
07:34 AM
Soo - I got this great search to show how many hosts at each location we are getting logs from. I want to only display the ones that have less than 3 reporting in.
This is what I have so far:
host=host2 OR host=*host1 OR host=otherhost | rex field=host "(?
I thought I could add this:
| eval (distinct_count(host)) < 3
But it does not work.
I guess I need to assign a key to the value derived from "stats distinct_count(host) by fruit" so I can use that key for the evaluation. where does not work either.
Rudy
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdaniels
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Splunk Employee
10-03-2013
07:46 AM
So you tried this:
host=host2 OR host=host1 OR host=otherhost* | rex field=host "(?<fruit>d{4})" | fields fruit host | stats distinct_count(host) as myCount by fruit | sort -myCount
and then you could add
where myCount < 3 or | search myCount < 3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sdaniels
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
Splunk Employee
10-03-2013
07:46 AM
So you tried this:
host=host2 OR host=host1 OR host=otherhost* | rex field=host "(?<fruit>d{4})" | fields fruit host | stats distinct_count(host) as myCount by fruit | sort -myCount
and then you could add
where myCount < 3 or | search myCount < 3
data:image/s3,"s3://crabby-images/5d9f8/5d9f80c54160124d38856b77a799077db7d57026" alt=""