Splunk Search

How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek
Explorer
sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source 

Tried a subsearch but, no joy-

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | search | stats count by  Source, Total | where count >100
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

If your first search works, then this should do it:

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count

BTW, this is not called a subsearch, and it confused the question very much that you used that term. I suppose this might be called a postsearch...?

View solution in original post

0 Karma

woodcock
Esteemed Legend

If your first search works, then this should do it:

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count

BTW, this is not called a subsearch, and it confused the question very much that you used that term. I suppose this might be called a postsearch...?

0 Karma

Dallastek
Explorer

That works thanks!!

0 Karma

Dallastek
Explorer

Sorry if this seems confusing. really what I need is to only show events that are greater than 100 in the total column.

0 Karma

Dallastek
Explorer

that is actually two separate searches, It all got mushed together when I posted 🙂

0 Karma

Dallastek
Explorer

the output looks like this:
Source-----------------------Destination-----------------------------subtotal----------------Total
1.1.1.1 2.2.2.2 3 5
3.3.3.3 2

0 Karma

Dallastek
Explorer

Again I posted 2 seperate searches to show what I have tried, I dont run BOTH searches

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...