Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

where count is > 5

subtrakt
Contributor
‎02-21-2014 12:53 PM

Hi Everyone - I'm trying to reduce noise on some of my reports. Certain messages with "unreadable" are coming in and I only want them on the report if the the count is > 5. At the same time, I don't want to ignore everything else that is < 5 that does not include "unreadable"...

Here's what i thought made sense.
stats dc(MESSAGE) | where MESSAGE="unreadable" > 5

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2014 01:28 PM

I don't quite understand your example, so here's how you would filter events based on your description:

... | where NOT (count <= 5 AND match(MESSAGE, "unreadable"))

That will drop events if the count is less or equal five and the message contains "unreadable".

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2014 01:28 PM

I don't quite understand your example, so here's how you would filter events based on your description:

... | where NOT (count <= 5 AND match(MESSAGE, "unreadable"))

That will drop events if the count is less or equal five and the message contains "unreadable".

Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-22-2014 01:01 PM

nevermind, didn't read peter's post. Thanks everyone.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-22-2014 12:50 PM

All the where needs is the two fields referenced - where they come from doesn't matter.

If you compute them using stats then yes, the stats must be somewhere before the where.

0 Karma
Reply
Solved! Jump to solution

subtrakt
Contributor
‎02-22-2014 12:47 PM

Martin, does stats have to be in the query before the '| where'?

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2014 02:48 PM

Well, filtering based on message content isn't going to be possible after a stats dc(message) because that just yields a single number.

Reply
Solved! Jump to solution

petermuller
Explorer
‎02-21-2014 02:05 PM

I'd like to point out for the original poster that your method assumes that the stats command is "stats count by MESSAGE" instead of "stats dc(MESSAGE)", which will count the number of times a particular message in MESSAGE is encountered (which I believe is what they want) instead of counting the number of different values that MESSAGE holds (which is in the example, but not necessarily what they are asking for).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...