How to exclude counts (stats count by) with a flat...

mcrawford44 · ‎08-22-2014

Weird one. I have a query that requires a flat format output with table;

index=foo | table name product publisher version

The output is such;

name1 product1 publisher1 version1
name1 product2 publisher2 version2
name1 product3 publisher3 version3

The data is a list of applications installed on a machine.

I want to exclude products where the total count is under 21. However I still need the flat table format above. The expanded name column/field. I can't seem to figure out how to both exclude products with a total count over 21, while still presenting the flat table view.

I CAN list the applications under 21 and filter in search, but there are 45000+ records for that and Chrome can't seem to handle it. Nor is that efficient in any way.

Any ideas?

I want these products excluded, but retain the flat table with expanded name;

index=foo | stats count by Product | where count < 21

Thanks!

somesoni2 · ‎08-22-2014

@Strive answer should do the task for you.

Alternatively try this

index=foo [ search index=foo | stats count by Product | where count < 21 | table Product]| table name product publisher version

strive · ‎08-22-2014

Try this

Your search for flat table ... | eventstats count as Count by name | where Count > 21 | fields - Count

If you need based on product field

Your search for flat table ... | eventstats count as Count by product | where Count > 21 | fields - Count

How to exclude counts (stats count by) with a flat table format?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms