Solved: how to use where parameter?

sunnyparmar · ‎06-15-2015

Hi,

I am using where clause but it is not giving any result. It showing the result as (0) in counts section. My query is -

eventtype="email_fetching" Fetching | where count>80 | stats count

Kindly suggest where I am wrong?

Thanks
Ankit

aholzer · ‎06-15-2015

You want to place the where clause after your stats count. Like so:

eventtype="email_fetching" Fetching  | stats count | where count>80

Hope this helps

stephanefotso · ‎06-16-2015

Hello! Put the where clause after the count.

    eventtype="email_fetching" Fetching| stats count as totalcount | where totalcount>80

Thanks

SGF

sunnyparmar · ‎06-16-2015

thanks buddy.. It works..

aholzer · ‎06-15-2015

You want to place the where clause after your stats count. Like so:

eventtype="email_fetching" Fetching  | stats count | where count>80

Hope this helps

sunnyparmar · ‎06-16-2015

thanks buddy.. It works..

sunnyparmar · ‎06-15-2015

My logs are showing on splunk like given below -

INFO [main] 05-21 10:00:53 Fetching 0 messages. Total 0 messages. (Reading.java:270)

how to use where parameter?