Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I filter my search to only display users that have appeared a minimum of 5 times?

bspier1
New Member
‎01-12-2016 06:53 AM

Hi There,

I have a field that identifies users, e.g. userID. I also have a field that is common in every log, e.g. command.

How can I create a timechart that doesn't return all users, rather, just users who have appeared a minimum of five times?

I tried the following search, but it didn't return any results:

stats count(command) as Uses by userID | Where Uses>5 | timechart span=1d dc(userID)

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-12-2016 07:58 AM

Time chart needs a time field in order to work.
Try the following instead:

| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5 
| timechart span=1d dc(userID)

Or this:

| yoursearch
| timechart span=1d count by userID
| Where count > 5

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎01-12-2016 07:58 AM

Time chart needs a time field in order to work.
Try the following instead:

| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5 
| timechart span=1d dc(userID)

Or this:

| yoursearch
| timechart span=1d count by userID
| Where count > 5
0 Karma
Reply
Solved! Jump to solution

bspier1
New Member
‎01-12-2016 08:24 AM

I couldn't get either query to work.

I think the Where clause is the problem in both queries. I notice that 'where' is supposed to only be used when relating two fields. Maybe that's a problem with using where?

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-12-2016 08:29 AM

You can use both "search count > 5" or "where count > 5"
Try search instead but both should work just fine.

0 Karma
Reply
Solved! Jump to solution

bspier1
New Member
‎01-12-2016 08:38 AM

I was able to get the first query to work if I replaced 'search' instead of 'where'. I think using 'where' was really my problem, and now it works much better with 'search'. Thanks so much for the tip, I'm hanging onto your first query above.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎01-12-2016 11:15 AM

Hi @bspier1

I'm glad you were able to find a solution through @javiergn 🙂 Please don't forget to resolve your questions by clicking "Accept" directly below the answer. This will help make it easier for other users finding an answer to the same/similar question. Thanks!

Patrick

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-12-2016 08:30 AM

If none work, can you paste your whole query here?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...