Solved: display results only above certain number

robK123 · ‎12-30-2012

I have this search I want to only display results for when the sum(failures) is higher than 4 how can I do this?

(index=infrastructure-os OR index=main) sudo "incorrect password attempt*" 
|rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
|stats sum(failures) by user, host 
| where user!="addm"|

lguinn2 · ‎12-30-2012

Try this!

(index=infrastructure-os OR index=main) sudo "incorrect password attempt*" 
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host 
| where user!="addm" AND totalFailures > 4

Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures), you can use it in further commands...

View solution in original post

lguinn2 · ‎12-30-2012

Try this!

(index=infrastructure-os OR index=main) sudo "incorrect password attempt*" 
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host 
| where user!="addm" AND totalFailures > 4

Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures), you can use it in further commands...

robK123 · ‎01-02-2013

That worked! Thanks

display results only above certain number

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

display results only above certain number

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers