Splunk Search

How do I filter my search to only display users that have appeared a minimum of 5 times?

bspier1
New Member

Hi There,

I have a field that identifies users, e.g. userID. I also have a field that is common in every log, e.g. command.

How can I create a timechart that doesn't return all users, rather, just users who have appeared a minimum of five times?

I tried the following search, but it didn't return any results:

stats count(command) as Uses by userID | Where Uses>5 | timechart span=1d dc(userID)

Thanks!

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Time chart needs a time field in order to work.
Try the following instead:

| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5 
| timechart span=1d dc(userID)

Or this:

| yoursearch
| timechart span=1d count by userID
| Where count > 5 

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Time chart needs a time field in order to work.
Try the following instead:

| yoursearch
| bucket span=1d _time
| stats count(command) as Uses by userID, _time
| Where Uses>5 
| timechart span=1d dc(userID)

Or this:

| yoursearch
| timechart span=1d count by userID
| Where count > 5 
0 Karma

bspier1
New Member

I couldn't get either query to work.

I think the Where clause is the problem in both queries. I notice that 'where' is supposed to only be used when relating two fields. Maybe that's a problem with using where?

0 Karma

javiergn
SplunkTrust
SplunkTrust

You can use both "search count > 5" or "where count > 5"
Try search instead but both should work just fine.

0 Karma

bspier1
New Member

I was able to get the first query to work if I replaced 'search' instead of 'where'. I think using 'where' was really my problem, and now it works much better with 'search'. Thanks so much for the tip, I'm hanging onto your first query above.

0 Karma

ppablo
Retired

Hi @bspier1

I'm glad you were able to find a solution through @javiergn 🙂 Please don't forget to resolve your questions by clicking "Accept" directly below the answer. This will help make it easier for other users finding an answer to the same/similar question. Thanks!

Patrick

0 Karma

javiergn
SplunkTrust
SplunkTrust

If none work, can you paste your whole query here?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...