Splunk Search

How to search for values greater than 10 in the results?

chinmay25
Path Finder

I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10. 

 

| rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)"
| eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename JOBNAME as Jobname Time as Date
| eval Workload = substr(Jobname,1,3)
| stats count(Message) as "Security Violations" by Jobname User

 

Resulting table

UserSecurity Violations
ABC1
DEF4
GHI12
JKL3
XYZ`20

 

Thank you,

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| where 'Security Violations' > 10

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| where 'Security Violations' > 10

isoutamo
SplunkTrust
SplunkTrust
In most cases use ” as values and ‘ as field names. Sometimes you need both on same time (see e.g. foreach + eval/fieldformat).
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...