Splunk Search

How do I create a chart that only shows columns with greater than 1000 events?

Engager

I'm trying to make a stacked column chart showing how users are changing some setting ("powerChanged") by build.

Here's my search which is doing the trick to create a chart showing what the users are changing that setting to.

index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900)  |  eval powerDiff= ABS( oldPower-newPower) 
| where powerDiff>5 AND powerDiff<100 | 
| chart count(newPower) as "Count" over build by newPower span=10 |

However, some of the builds only have 5-10 users whereas our production builds have thousands of users, making it difficult to look for trends. In the chart, how can I discard builds which have fewer than 1000 results?

0 Karma
1 Solution

Esteemed Legend

Like this:

index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900)
|  eval powerDiff= ABS( oldPower-newPower) 
| where powerDiff>5 AND powerDiff<100 
| stats count by build newPower
| evenstats sum(count) AS newPowerCount BY newPower 
| where newPowerCount >=1000
| chart sum(count) as Count over build by newPower span=10

View solution in original post

Esteemed Legend

Like this:

index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900)
|  eval powerDiff= ABS( oldPower-newPower) 
| where powerDiff>5 AND powerDiff<100 
| stats count by build newPower
| evenstats sum(count) AS newPowerCount BY newPower 
| where newPowerCount >=1000
| chart sum(count) as Count over build by newPower span=10

View solution in original post

SplunkTrust
SplunkTrust

Give this a try

index = "power" name = "powerChanged" isTest = "False" isOnBattery=False buildSku="Enterprise" (build>=2500 AND build<=5900)  |  eval powerDiff= ABS( oldPower-newPower) 
 | where powerDiff>5 AND powerDiff<100 
 | stats count by build newPower | where count>=1000
 | chart sum(count) as Count over build by newPower span=10
0 Karma

Engager

Thanks for helping a newbie out 🙂 This is close, but rather than "where count>1000", I want something like "where sum(count)>=1000" to reflect builds with 1000 users across all values of newPower, rather than builds with 1000 users at each newPower value.
Of course, I can't express it this way - I'll spend some more time thinking...

0 Karma

SplunkTrust
SplunkTrust

In that case you need the answer provided by @woodcock below, which does exactly the same.

0 Karma