How to apply this filter condition to my search re...

srohith87 · ‎06-20-2016

Hi team,

I am new to Splunk. Please guide me how to apply a filter condition in which I need to extract only count =1.

Below is my search:

index="victindex" sourcetype="ContainerEvents" | rex field=_raw "^(?:[^\.\n]*\.){2}(?P\w+)" | search qceventtype=ContainerEvent | xmlkv |  stats count as "Count of Search Object" by _time | where count = 1

Above search is not giving me any result set, even though I have 27 events.

woodcock · ‎06-23-2016

You are doing where by a field name ( count ) that does not exist. Try this:

index="victindex" sourcetype="ContainerEvents" | rex field=_raw "^(?:[^\.\n]*\.){2}(?P\w+)"
| search qceventtype=ContainerEvent | xmlkv
| stats count BY _time | where count = 1
| rename count AS "Count of Search Object"

jkat54 · ‎06-21-2016

Here the count is the count of events. So if you have 27 events, count does not equal to 1 and your where clause is excluding the results.

Can you provide a sample of the data?

sundareshr · ‎06-21-2016

Try

....  | stats count by _time | where count = 1 | rename count as "Count of Search Object"

srohith87 · ‎06-22-2016

Thank you sundar, It works...
can you tell me how difference it is filtering the aggregated group value such as "having max(salary) > 25000", how can I apply this in the search command

Hi JKAT54,

yes, the count I represented is total events. To the top of it I will be applying the count of specific column to eventually evaluate the total by its.

How to apply this filter condition to my search result?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life