Filter the number of less than 1000 of the data example: index=app sourcetype=EPC*Event* level=ERROR |rex field=requestUrl mode=sed "s/\\d|\d\|%\/|\$amps;\/|\)\/|\(\/|%|\$|\d|\(|\)/@/g"|stats count as Counts by eventId,eventName,level,sourcetype,requestUrl|sort -Counts| head 30|rename sourcetype As Sourcetype,eventId As Eventcode,eventName as Description|fields Sourcetype,Eventcode,Counts,Description,requestUrl how to filter the number of Counts less than 1000 of the data? Thanks! ... View more

Hi Now I need to show the current count and the count five minutes ago in one row. The current count search is: index=app host="xxxx" sourcetype=xxx status>399 route =* earliest=-15m@m latest=@m| bucket span=5m _time | stats count as current_count by _time route And the respected result is like this: How can I do it? ... View more

Here are some eventNames: 2022-NO_USER_IN_SESSION , 1022-DRR_INFO , ... I need the values like: NO_USER_IN_SESSION , 1022-DRR_INFO (so eventName=NO_USER_IN_SESSION ) How to split the eventNames (2022-NO_USER_IN_SESSION, 1022-DRR_INFO) index=app sourcetype=Epc*Event splunk_server_group=ewe sourcetype=EpcPromotionsEvent eventName=? ... View more