Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The "where count" clause is showing no results

anayi
Observer
‎10-03-2024 08:43 AM

I'm trying to create an alert. The alert's query ends with " | stats values(*) as * by actor.displayName | stats count(actor.displayName)".

anayi_0-1727969909088.png

I want to add the clause, " | where count > 5" at the end of the query. To verify that the query would work, I changed it "| where count < 5", but I'm getting no results.

anayi_1-1727970089613.png

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-03-2024 09:25 AM 
| stats count(actor.displayName)

will give you a field called "count(actor.displayName)" not "count" which is why the where command returns no results. Try it like this

| stats count(actor.displayName) as count | where count < 5
0 Karma
Reply

anayi
Observer
‎10-03-2024 09:03 AM

I removed "(actor.displayName)" from the first "count" command and it works now.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...