Solved: How to do a stats count by abc | where count > 2?

bijodev1 · ‎02-28-2022

Hey there,

I have a field let's say "abc" with values as such : 1,3,5,7,5,3,2,1,5,7,8,5,1,1,2,2,3,2,1,1,2,3,2,3

here what I am trying to look here is first do a stats count by abc | where count > 2

and then again do a stats dc(abc) by "some other field"

I have tried do to it but unable to get any results not sure if there is any other option to perform it.

thanks

somesoni2 · ‎02-28-2022

In general, you'd use eventstats (perform statistics without transforming original events) to do this:

Your base search
| eventstats count by abc | where count > 2 
| stats dc(abc) as abcs by other_field

There could be better performing options (e.g. do stats by both fields and then do filter and another stats but it depends upon your data and requirement. If you can share some sample data and full search that you want to perform, we may give some suggestions.

View solution in original post

bijodev1 · ‎02-28-2022

for the same one, if I have to pull the max and min for the stats values(abc) by some_field like how is it possible.

bijodev1 · ‎02-28-2022

@somesoni2 thank you, it worked.

somesoni2 · ‎02-28-2022

In general, you'd use eventstats (perform statistics without transforming original events) to do this:

Your base search
| eventstats count by abc | where count > 2 
| stats dc(abc) as abcs by other_field

There could be better performing options (e.g. do stats by both fields and then do filter and another stats but it depends upon your data and requirement. If you can share some sample data and full search that you want to perform, we may give some suggestions.

PickleRick · ‎02-28-2022

Use eventstats instead of stats if you don't want to lose the original data.

How to do a stats count by abc | where count > 2?

count

stats

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!