Solved: Filtering results by count on one item

pitshot · ‎07-20-2014

What I am trying to accomplish.
Search for three items X Y and Z .
Count the total number of events for each X Y Z .
Display any results from X or Y and only display Z when the count is above 1.

I am having trouble with the last part of this search. I am not sure how to process the count of the Z result and drop results below the count of 1. I have tried several techniques but I have not had any success in putting the searches together.

strive · ‎07-20-2014

Try this

index=MyIndex (EventType="X" OR EventType="Y") | stats count as Count by EventType | append [search index=MyIndex EventType="Z" | stats count as Count by EventType | where Count > 1]

View solution in original post

strive · ‎07-20-2014

Try this

index=MyIndex (EventType="X" OR EventType="Y") | stats count as Count by EventType | append [search index=MyIndex EventType="Z" | stats count as Count by EventType | where Count > 1]

pitshot · ‎07-20-2014

Perfect, I was making the search into something way to complicated. The append works great Thanks

Filtering results by count on one item

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!