Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I count the total in a subsearch with only totals that are greater than 100.

Dallastek
Explorer
‎07-10-2015 07:38 AM 
sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source

Tried a subsearch but, no joy-

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | search | stats count by  Source, Total | where count >100
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 08:59 AM

If your first search works, then this should do it:

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count

BTW, this is not called a subsearch, and it confused the question very much that you used that term. I suppose this might be called a postsearch...?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 08:59 AM

If your first search works, then this should do it:

sourcetype=mysource Name=web_access `myfilter` | stats count(Source_Host) as temp by Source_Host, Dest_Host | sort -temp | eval subtotal = temp."        " | stats list(Source_Host) AS Destination, list(subtotal) as Subtotal, sum(temp) as Total by Dest_Host | eval count=Total | eval Total = Total."      " | sort - Total | rename Dest_Host AS Source | where count>100 | fields - count

BTW, this is not called a subsearch, and it confused the question very much that you used that term. I suppose this might be called a postsearch...?

0 Karma
Reply
Solved! Jump to solution

Dallastek
Explorer
‎07-10-2015 09:45 AM

That works thanks!!

0 Karma
Reply
Solved! Jump to solution

Dallastek
Explorer
‎07-10-2015 08:46 AM

Sorry if this seems confusing. really what I need is to only show events that are greater than 100 in the total column.

0 Karma
Reply
Solved! Jump to solution

Dallastek
Explorer
‎07-10-2015 07:44 AM

that is actually two separate searches, It all got mushed together when I posted 🙂

0 Karma
Reply
Solved! Jump to solution

Dallastek
Explorer
‎07-10-2015 08:09 AM

the output looks like this:
Source-----------------------Destination-----------------------------subtotal----------------Total
1.1.1.1 2.2.2.2 3 5
3.3.3.3 2

0 Karma
Reply
Solved! Jump to solution

Dallastek
Explorer
‎07-10-2015 08:10 AM

Again I posted 2 seperate searches to show what I have tried, I dont run BOTH searches

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...