Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I filter the results of my stats search with a where condition?

TobiasBoone
Communicator
‎04-26-2016 09:46 AM

The pipeline logic of this discrete math is kicking me hard today. I need to be able to find a list of laptops that are checking into inventory over the past 30 days from off-premise, but have not checked in from on-premise.

I have a working search that gathers my entire inventory and looks up the client's address and returns subnet_descriptions. From that search I get ~100 results; anything unknown comes back as NONE where NONE means that it was off-premise. With this it is very easy to | where subnet_description = "NONE" but these results include machines that also checked in from on-premise in the same 30 days.

I can | stats count by machinename and then | where count = 1 which would get me close, but it wouldn't tell me if that 1 location was also "NONE" and because stats truncates off the subnet_description, I cannot do a subsequent | where ...

I can | stats count by machinename subnet_description but the count is then based upon the two criteria together and one machine gets multiple lines and again I can only filter on one.

I need some ideas on how to get just the overlap in these searches and essentially do a | stats count(machinename) | where count machinename = 1 and subnet_description="NONE"

Any brain checks would be greatly appreciated.

Tags (4)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-26-2016 09:53 AM

You need eventstats. Try using | eventstats count AS CountByMachineName by machinename first. See what this does and go from there.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...