How to create search to return rows in table based...

johnsasikumar · ‎04-22-2019

I have a splunk query that forms table like this

Time    Type    Msg
10/1/2019 0:00  1   xyz
10/2/2019 0:00  2   xyz
10/3/2019 0:00  3   xyz
10/4/2019 0:00  4   xyz
10/5/2019 0:00  1   xyz
10/6/2019 0:00  1   xyz
10/7/2019 0:00  2   xyz
10/8/2019 0:00  2   xyz
10/9/2019 0:00  3   xyz
10/10/2019 0:00 3   xyz
10/11/2019 0:00 4   xyz
10/12/2019 0:00 3   xyz

How do i retain only the rows in the table where the count(type) is <3. So in this case i want the rows with type 4 to be removed because the count of events is less than 3.

VatsalJagani · ‎04-22-2019

Hi @johnsansikumar,
Please append below query after your existing query. (If you want to keep Type which has count less than 3, change where condition otherwise)

| eventstats count by Type | where count<3

Hope this helps!!

How to create search to return rows in table based on count?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation