how to stats counts if one of the field's value gr...

corehan · ‎05-01-2020

Hello,

I have ALERT field and in this field has different types ALERT values, so i want filter one of them counts if greater than 100

ALERT="LINK-3-UPDOWN" count=500
ALARM="IFNET/1/CRCERRORRISING" count =20

So I tried this but only show ALERT="LINK-3-UPDOWN" . I want see all values but "LINK-3-UPDOWN" filtered count

|stats count by DATE,Region,managed_object,ALERT |where count>100 AND ALARM="LINK-3-UPDOWN" |sort -count -ALARM

Regards,

PavelP · ‎05-03-2020

Hello @corehan,

if I understand it correctly, the problem is that the count field from the raw event get overwritten by count field generated by stats command.

.. | rex "count=(?<count_orig>\d+)" |stats count by DATE,Region,managed_object,ALERT |where count_orig >100 AND ALARM="LINK-3-UPDOWN" |sort -count -ALARM

alternatively (not tested):

|stats count AS amount by DATE,Region,managed_object,ALERT |where count>100 AND ALARM="LINK-3-UPDOWN" |sort -amount -ALARM

kamlesh_vaghela · ‎05-02-2020

@corehan
Can you please share some sample events and expected output?

how to stats counts if one of the field's value greater than 100 ?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

how to stats counts if one of the field's value greater than 100 ?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR