Splunk Search

how to use where parameter?

sunnyparmar
Communicator

Hi,

I am using where clause but it is not giving any result. It showing the result as (0) in counts section. My query is -

eventtype="email_fetching" Fetching | where count>80 | stats count

Kindly suggest where I am wrong?

Thanks
Ankit

Tags (2)
0 Karma
1 Solution

aholzer
Motivator

You want to place the where clause after your stats count. Like so:

eventtype="email_fetching" Fetching  | stats count | where count>80

Hope this helps

View solution in original post

stephanefotso
Motivator

Hello! Put the where clause after the count.

    eventtype="email_fetching" Fetching| stats count as totalcount | where totalcount>80 

Thanks

SGF

sunnyparmar
Communicator

thanks buddy.. It works..

0 Karma

aholzer
Motivator

You want to place the where clause after your stats count. Like so:

eventtype="email_fetching" Fetching  | stats count | where count>80

Hope this helps

sunnyparmar
Communicator

thanks buddy.. It works..

0 Karma

sunnyparmar
Communicator

My logs are showing on splunk like given below -

INFO [main] 05-21 10:00:53 Fetching 0 messages. Total 0 messages. (Reading.java:270)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...