Splunk Search

How to search for values greater than 10 in the results?

chinmay25
Path Finder

I am working on the query that generates a table with count of security violations. I want to filter our the users with violations greater than 10. 

 

| rex field=_raw "(?<Message>Security\sviolation)\s\S+\s\S+\s(?<User>[A-Z0-9]+)"
| eval Time = strftime(_time, "%m-%d-%Y %H:%M:%S")
| rename JOBNAME as Jobname Time as Date
| eval Workload = substr(Jobname,1,3)
| stats count(Message) as "Security Violations" by Jobname User

 

Resulting table

UserSecurity Violations
ABC1
DEF4
GHI12
JKL3
XYZ`20

 

Thank you,

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| where 'Security Violations' > 10

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| where 'Security Violations' > 10

isoutamo
SplunkTrust
SplunkTrust
In most cases use ” as values and ‘ as field names. Sometimes you need both on same time (see e.g. foreach + eval/fieldformat).
0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...