Im having the search events like this
23 Apr 2014 02:46:32,986 - 3339321692 [FtpTaskQueue] Error in Uploading Files
23 Apr 2014 02:46:31,672 - 3339320378 [FtpTaskQueue] Error in Uploading Files
23 Apr 2014 02:31:32,242 - 3338420948 [FtpTaskQueue] Error in Uploading Files
Here "Error in Uploading Files" has occured more than 3 times, at different times
so I need to display this error count as 3 under different hosts, I have areound 12 hosts whicha re have events like this.If the count is 2 for last one hour, then I should not display the host.
okay listen, like @Ayn said in the other post: we are not here to solve your problems, we can help you to solve them on your own! I gave you the direction, you have to walk the path on your own ... and a good starting point is here
Its giving me the count, I dont want count to come in the rsult, I want the matching events (_raw), which are having more than the count 3.
I need to display the results if and only if the events count > 3.
it's equal if you extract the name from the search or if it is there in the event itself the count wont change So @Mus 's search is the way to go.
YourBaseSearchHere earliest=-60m "uploading reports to FTP server" | stats count(_raw) as CNT | where CNT > 3
This is it!
YourBaseSearchHere earliest=-60m | regex _raw="uploading reports to FTP server" | fields _raw,host | stats count(_raw) as CNT | where CNT > 3
This is returing only total count, I need the _raw and host, so how can I write the search to get the _raw,host, If search count >=3.
Sorry but this search does not reflect your question, you asked for three event in one hour but your search checks for more then 2 and timechart spans 15minutes. Also is
Did you consider the fact that you maybe don't have any errors currently?
If you could provide the exact search you did and maybe some more information it would be easier to help ...
'nothing was displaying ...' isn't helpful either