Re: 'Stats count by' set to specific count?

bcjammer03 · ‎11-18-2020

I'm trying to create a query where I get results of a specific user triggering two of the same alerts. Is there a way to set 'stats count by' to equal 2, that results will show only users that have triggered this alert twice?

Or is there a specific command that will allow me to do this?

index=`email` action=blocked | stats count by user_ID

richgalloway · ‎11-18-2020

There is no specific command for that, but there is a simple combination of commands.

index=`email` action=blocked 
| stats count by user_ID
| where count > 1

---
If this reply helps you, Karma would be appreciated.

bcjammer03 · ‎11-18-2020

yes! thank you @richgalloway

isoutamo · ‎11-18-2020

Small fix as @bcjammer03 asked "triggered twice" you should use "| where count = 2"

richgalloway · ‎11-18-2020

That is a more precise match to the requirements, but I presumed "thrice" is just as interesting as "twice".

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

'Stats count by' set to specific count?

count

eval

stats

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?