Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using where in search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
balcv
Contributor
09-12-2019
06:57 PM
I have the following search
index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" )
| chart count by src_location,action
This results in a nice stacked column chart showing actions (allowed & blocked) per src_location.
What I need to do is only show those src_locations where the total count (allowed + blocked) is greater than a specific value (eg totalCount >= 500).
I have tried using separate stats count by [field] as [name] statements then using eval to add them together but I can't get the results I'm wanting which is the stacked column graph by src_location showing allowed & blocked.
Any suggestions greatly appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-12-2019
08:18 PM
@balcv ,
Try
index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" )
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-12-2019
08:18 PM
@balcv ,
Try
index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" )
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
balcv
Contributor
09-12-2019
08:32 PM
Awesome. Thanks for that @renjith.nair
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
