Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for values greater than 10 in the results?

chinmay25
Path Finder
‎01-19-2022 07:32 AM

I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10. 

 

| rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)"
| eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename JOBNAME as Jobname Time as Date
| eval Workload = substr(Jobname,1,3)
| stats count(Message) as "Security Violations" by Jobname User

 

Resulting table

UserSecurity Violations
ABC1
DEF4
GHI12
JKL3
XYZ`20

 

Thank you,

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-19-2022 07:44 AM 
| where 'Security Violations' > 10

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-19-2022 07:44 AM 
| where 'Security Violations' > 10
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-19-2022 08:45 AM
In most cases use ” as values and ‘ as field names. Sometimes you need both on same time (see e.g. foreach + eval/fieldformat).
0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...