Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Using where in search

balcv
Communicator
‎09-12-2019 06:57 PM

I have the following search

index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) 
| chart count by src_location,action

This results in a nice stacked column chart showing actions (allowed & blocked) per srclocation.
What I need to do is only show those srclocations where the total count (allowed + blocked) is greater than a specific value (eg totalCount >= 500).

I have tried using separate stats count by [field] as [name] statements then using eval to add them together but I can't get the results I'm wanting which is the stacked column graph by src_location showing allowed & blocked.

Any suggestions greatly appreciated.

Tags (3)
0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Using where in search

renjith_nair
SplunkTrust
SplunkTrust
‎09-12-2019 08:18 PM

@balcv ,

Try

index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) 
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: Using where in search

balcv
Communicator
‎09-12-2019 08:32 PM

Awesome. Thanks for that @renjith.nair

0 Karma
Reply