Splunk Search

How to select only specific values into search?

badrinath
Path Finder

Hi all, I have a table and I need to highlight the values that are greater than lets say 5 in a line graph. how to select only those specific values into search

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=10m
| stats count by _time country
| where count > 5
| xyseries _time country count

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This use case is not clear.  You have a table and want to make a line graph?  Do you want to highlight the anomalous values or select them?

If you know you only want values greater than 5 then a where clause should do the job.

,,, | where myField > 5

If you don't know what the threshold value should be then consider the anomalousvalue command.

... | anomalousvalue action=filter myField

Do tell us more about the use so we can offer better answers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

badrinath
Path Finder

thanks for the reply, but actually I have this kind of values

badrinath_0-1652155181764.png

and I am using this query

..... | bucket _time span=10m

| chart count by _time,country

and I got the result as shown below

badrinath_1-1652155565927.png

now when I convert it into a graph I wanted to highlight pints that are greater than 5 and also to filterout those points.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| bin _time span=10m
| stats count by _time country
| where count > 5
| xyseries _time country count

badrinath
Path Finder

thankyou, that worked but first I need to show the graph for all the data then highlight the points greater then 5 and then filter out those points.

this worked well for filtering but I need to highlight them also

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

A graph is a visualisation of a table of data.

You can have a table with all the data and you can have another table with the filtered data - the visualisation isn't normally going to change from one table to the other.

0 Karma

badrinath
Path Finder

In the graph with all the data I need to highlight only the points that are greater than 5 is it possible? 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

This is not possible with standard graphs (as far as I am aware) - having said that, you could overlay a line at 5 so that it is obvious which point are above it

0 Karma

badrinath
Path Finder

But I am using dashboard studio and I think overlay is not possible in it can you please conform 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I don't use Dashboard Studio due to such limitations!

If you are already using a line graph, it could just be another series in the table

| bin _time span=10m
| stats count by _time country
| where count > 5
| xyseries _time country count
| eval threshold=5

badrinath
Path Finder

thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
your search
| where value > 5
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...