- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- first question ever - help with greater than - yes...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the newb question, but I'm trying to alert based on "results" greater than a threshold of say 350 for a particular field. The field is not a numerical value field, so I can't simply use the > sign in the search string. When I tell it <search string> | chart count by <field> WHERE <field> > 350 , it doesn't work and still returns results with higher and lower counts as if my instructions weren't even there.
Here's my search, if needed: index=blah sourcetype=blah "logged in" | stats count by location
returns:
location count
abq 434
ama 376
anc 260
boi 393
I only want to see results of locations with a "logged in" count greater than 350.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
append this to your search:
... | where count > 350
to somthing like this:
index=blah sourcetype=blah "logged in" | stats count by location | where count > 350
Greetings
Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hate it when simple things get the best of me. (Happens more than I like to admit)
Thanks for the help, fellas! The fix: I was missing the pipe in front of the 'where'. It works as | stats count as logins by | where logins > 250
So easy a caveman could do it. . . lucky for me!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mbond81,
I'm not sure if chart really supports this; the docs are not so clear about it.
Nevertheless you got something wrong here; your example should use count in the where clause and not field :
<search string> | chart count by <field> | where count > 350
If you want to use field then do something like this:
<search string> <field> > 350 | chart count by <field>
timechart does support the use of where (see docs after example 4 http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Examples ) :
<search string> | timechart count by <field> WHERE count > 350
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
append this to your search:
... | where count > 350
to somthing like this:
index=blah sourcetype=blah "logged in" | stats count by location | where count > 350
Greetings
Tom
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
