Splunk Search

How to write a search to filter and only return results for a field with a count greater than 2?

rgtsplunk
Explorer

It seems that this should be a simple filter, but we cannot seem to find out how to do this in Splunk.

We do a search, returning a UserID and a Source_Address. We would like to show all the source addresses for the given UserID, but only if the number of source addresses for that UserID is greater than 2.

We can use "stats distinct_count(Source_Address) as num_sources BY UserID | search num_sources > 2", but the output of that no longer has the actual Source Addresses for us to show - only the number. The "where" clause does not specify a way of counting by UserID, nor does anything else, it appears.

The only other thing we can see is to do the whole search as a sub-search, just returning the UserIDs, and then using that as a filter for the search again. This seems very inefficient. Can anyone suggest a better method?

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

...your base search...|  stats count by UserID Source_Address | eventstats count as num_sources  by UserID | search num_sources > 2 | table UserID Source_Address

vasanthmss
Motivator

Try this,
|eventstats dc(sourceaddress) as count by userid|search count >2

V
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...