Solved: How can I count lines?

LauraBre · ‎06-27-2012

hello,

This is my search:

source=tcp:5555 PURCH_DAY=06-14 PURCH_DATE=19  PURCH_MIN>44 | stats count by ID_CARDHOLDER| sort - count | where count>=5|rangemap field=count severe=10-50 elevated=3-9 default=low

My problem is that I don't able to count the number of lines that my search returns. I want to apply my rangemap on the number of lines but I don't know how I can do it because I try count(_raw) but I don't use it correctly I think.

Thx by advance,

Laura

kristian_kolb · ‎06-27-2012

... |stats sum(linecount) AS MyTotalLines | ...

/kristian

View solution in original post

kristian_kolb · ‎06-27-2012

... |stats sum(linecount) AS MyTotalLines | ...

/kristian

LauraBre · ‎06-27-2012

No, I want to count the total lines that my search returns, not indivduals raw events.

Ayn · ‎06-27-2012

Number of lines in what? Individual raw events? Have you checked the linecount property?

How can I count lines?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation