Solved: Problem with using stats for a count, and also to ... - Splunk Community

Splunk Search

So, I am going through windows logs, and have output that works for me with something like:

index=windows sourcetype="WinLog" EventCode=XXXX | stats values(Account) by host_machine

But I only want to have hast_machines, where there are more than 5 events. I don't care if there is 1 or 100 'Account' values.

I had attempted to do a subsearch, but something went sideways on that one. Anyone do something like this in the past?

1 Solution

Solution

Give this a try

index=windows sourcetype="WinLog" EventCode=XXXX | stats values(Account) count by host_machine | where count>5 | fields - count

View solution in original post

Solution

Give this a try

index=windows sourcetype="WinLog" EventCode=XXXX | stats values(Account) count by host_machine | where count>5 | fields - count

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...