Solved: Filtering based on quantity of list() results

Sam2 · ‎07-14-2014

Hello all,

I have this search:

...| streamstats window=1 global=false current=f last(_time) as next_time by cs_host,username| eval gap = next_time - _time |search gap>350| stats list(gap) by cs_host,username

which draws a nice table, grouped by list(gap). However, I'd like to remove any rows in the table that only have one results of list(gap), but am struggling with the syntax. Can anyone help please?

martin_mueller · ‎07-14-2014

How about this:

... | streamstats window=1 global=false current=f last(_time) as next_time by cs_host,username| eval gap = next_time - _time | search gap>350 | stats count list(gap) by cs_host username | where count > 1

View solution in original post

martin_mueller · ‎07-14-2014

How about this:

... | streamstats window=1 global=false current=f last(_time) as next_time by cs_host,username| eval gap = next_time - _time | search gap>350 | stats count list(gap) by cs_host username | where count > 1

Sam2 · ‎07-14-2014

Yes, that works! I think I was trying to over complicate it!

Filtering based on quantity of list() results

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes