Solved: Re: How do I edit my search to only display result...

manhuang · ‎12-14-2015

index=app sourcetype=epcpromotionsevent | stats count as num  by eventName,hotelId

The search above will display count, eventName, and hotelId.
I only want to display results based on these conditions:
1.when count is 1, and more than 2 row data record, then display.
2.when count is more than 1, display.
3.others, no display.

sundareshr · ‎12-15-2015

See if this works for you

index=app sourcetype=epcpromotionsevent | stats count as num  by eventName, hotelId | stats values(eventName) as eventName values(hotelId) as hotelId count by num | where count > 1 OR num>1

View solution in original post

sundareshr · ‎12-15-2015

See if this works for you

index=app sourcetype=epcpromotionsevent | stats count as num  by eventName, hotelId | stats values(eventName) as eventName values(hotelId) as hotelId count by num | where count > 1 OR num>1

jmallorquin · ‎12-15-2015

index=app sourcetype=epcpromotionsevent | stats count as num by eventName,hotelId | where count > 1

manhuang · ‎12-15-2015

1.when count is 1, and more than 2 row data record, then display.

not just count bigger than 1 are displayed,it needs two data records whose count is bigger than 1.
If only one row data record which count is 1, I dont want to display.

jmallorquin · ‎12-16-2015

index=app sourcetype=epcpromotionsevent | stats count as num dc(eventName) as dc_e dc(hotelId) as dc_h by eventName,hotelId |eval row=dc_e+dc_h| where count > 1 AND row>2

How do I edit my search to only display results based on these conditions?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms