Splunk Search

How to subtract the first X number from count of a deduped field for a timechart?

jpriceit
Engager

I have a timechart that visualizes the monthly count of unique locations accessed, but I need to remove the first (in order of time) 10,000 unique locations. Here is my original search that builds the timechart:

search resulting in events with various Latitude and Longitude fields, some unique
    | eval LatNormalized=round(Latitude,5)
    | eval LongNormalized=round(Longitude,5)
    | eval LatLongNormalized=LatNormalized+","+LongNormalized
    | dedup LatLongNormalized sortby -LatNormalized,-LongNormalized
    | timechart span=1mon count(LatLongNormalized)

I tried to use the following to at least identify where the 10k mark was hit, and I could then just modify my time range to exclude that, however it isn't working:

same search base as above
| eval LatNormalized=round(Latitude,5)
| eval LongNormalized=round(Longitude,5)
| eval LatLongNormalized=LatNormalized+","+LongNormalized
| dedup LatLongNormalized sortby -LatNormalized,-LongNormalized, -date_month
| eventstats count(LatLongNormalized) as countLatLongNormalized
| streamstats range(countLatLongNormalized) as countRange
| head (countRange<10000)

This doesn't appear to be doing what I expected either, so I'm thinking I'm going about this completely wrong. Does anyone know how I could eliminate the results from my search containing the first 10,000 unique values of LatLongNormalized and only chart the subsequent counts?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So if your monthly count for Jan is say 18000, you want to plot only 8000? What should happen if Feb count is less than 10000?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...