Solved: display results only above certain number

robK123 · ‎12-30-2012

I have this search I want to only display results for when the sum(failures) is higher than 4 how can I do this?

(index=infrastructure-os OR index=main) sudo "incorrect password attempt*" 
|rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
|stats sum(failures) by user, host 
| where user!="addm"|

lguinn2 · ‎12-30-2012

Try this!

(index=infrastructure-os OR index=main) sudo "incorrect password attempt*" 
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host 
| where user!="addm" AND totalFailures > 4

Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures), you can use it in further commands...

View solution in original post

lguinn2 · ‎12-30-2012

Try this!

(index=infrastructure-os OR index=main) sudo "incorrect password attempt*" 
| rex field=_raw "sudo:[^a-z]+(?<user>[^ ]+) : (?<failures>[0-9]+) incorrect"
| stats sum(failures) as totalFailures by user, host 
| where user!="addm" AND totalFailures > 4

Notice that you can give a name to the results of the stats calculation. Once it has a field name (totalFailures), you can use it in further commands...

robK123 · ‎01-02-2013

That worked! Thanks

display results only above certain number

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes