Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to chart by count, but only if the count is over a given number?

jleppert
New Member
‎04-29-2015 08:50 PM

I'm trying to get a graph based on this:

timechart span=1h count by src_ip

However, I only want to display results if the count is over a given number. How can I do this? I tried |where count>100, but not working.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎04-29-2015 09:49 PM

Thats because your results do not have a field called "count" when you use a "by" clause in timechart and so the filter would give you no results.

The query filter where would work as you expect if you remove the by clause, but since you are splitting them by src_ip you dont have an option to filter them further.

The only option is to use stats command to do the split and filter and then convert into a chart or xyseries to plot a graph again.

|bucket span=1h _time | stats count by _time src_ip | where count >100 | xyseries _time,src_ip,count

View solution in original post

Reply
Solved! Jump to solution
Solution

ramdaspr
Contributor
‎04-29-2015 09:49 PM

Thats because your results do not have a field called "count" when you use a "by" clause in timechart and so the filter would give you no results.

The query filter where would work as you expect if you remove the by clause, but since you are splitting them by src_ip you dont have an option to filter them further.

The only option is to use stats command to do the split and filter and then convert into a chart or xyseries to plot a graph again.

|bucket span=1h _time | stats count by _time src_ip | where count >100 | xyseries _time,src_ip,count
Reply
Solved! Jump to solution

jleppert
New Member
‎04-30-2015 02:48 AM

... thanks again!

0 Karma
Reply
Solved! Jump to solution

jleppert
New Member
‎04-29-2015 10:06 PM

Thanks, it works as expected!

0 Karma
Reply
Solved! Jump to solution

jleppert
New Member
‎04-29-2015 10:16 PM

This works well for a bar chart but for a line chart, it does not connect a src-ip count from one hour to the next. Is there a way to do that?

0 Karma
Reply
Solved! Jump to solution

ramdaspr
Contributor
‎04-30-2015 12:27 AM

Are you using this query on a dashboard or on the search panel?

If on the search panel, use the formatting option to set Null Value to zero

If on the dashboard, set 

<option name="charting.chart.nullValueMode">zero</option>

This will force the chart to connect but dip to zero if a particular hour doesnt have any data.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...