Splunk Search

How do I show stats where count is greater than 10, but without showing count field?

mplautz
Explorer

I have an example query where I show the elapsed time for all log lines where detail equals one of three things, and I show the stats of the elapsed field:

normalized_source=http_plugin (detail=/online/public/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | 
stats avg(elapsed), median(elapsed), p90(elapsed) by detail

So an issue I run into is it matches both where detail equals "successfulLogin" as well as "successfullogin" (with a second lowercase L). The "successfullogin" exists in the logs because of tests done against the production environment, but doesn't reflect useful data. In fact, there are only 2 or 3 logs of the "successfullogin" whereas there are 40,000+ of all the other. I'd like to remove that result so I just show the three, because I am interested in the visualization of this (and I don't want a random 4th result). There are 3 ways I could go about this:
1. Limit the results to three
2. Make the detail= case sensitive
3. Show only the results where count is greater than, say, 10.

I don't really know how to do any of these (I'm pretty new to Splunk). I have tried option three with the following query:

normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10

However, this includes the count field in the results. This is fine except when I turn this into a bar chart, the count column skews the other values (since it is so much larger). How could I redo that query to omit the count field?

(And for extra credit, how would I redo the first query to do option 1 and 2? I keep trying to modify the query and does not give me the expected results.)

Tags (3)
1 Solution

ppablo
Retired

Hi @mplautz

Can you try using the fields command in your 2nd search query and see if it works for you?

normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 | fields - count

View solution in original post

ppablo
Retired

Hi @mplautz

Can you try using the fields command in your 2nd search query and see if it works for you?

normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 | fields - count

mplautz
Explorer

I saw you posted this an answer before it was a comment. Now I cannot give you "correct answer" credit.

0 Karma

ppablo
Retired

Just converted it back to an answer 🙂 glad it worked!

0 Karma

mplautz
Explorer

That's it, it worked! I suppose I should have been more thorough in my Google searches to try to see how to remove columns from results.

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...