Solved: Can you help me use the where command to limit res...

muzicman61 · ‎12-28-2018

I have a search that works perfectly. It lists the number of calls by area code by state. However, I'm trying to limit the results to only display area codes that have 500 or more hits.

Here's my search...

sourcetype="VHT:HPIQ:IVROutput" DNIS  "Success" | eval ac=substr(DNIS,2,3) | lookup areacode.csv areacode as ac OUTPUT state | stats count(ac) by state | sort -count(ac)

I've tried using the where command, but I can't seem to get the syntax correct. I'm sure it's a very simple answer but I am only 1 month into my Spunk learning.

Thanks for the help.

renjith_nair · ‎12-28-2018

@muzicman61,
Try,

sourcetype="VHT:HPIQ:IVROutput" DNIS "Success" | eval ac=substr(DNIS,2,3) | lookup areacode.csv areacode as ac OUTPUT state 
| stats count(ac)  as ac by state | where ac>=500

Happy Splunking!

View solution in original post

renjith_nair · ‎12-28-2018

@muzicman61,
Try,

sourcetype="VHT:HPIQ:IVROutput" DNIS "Success" | eval ac=substr(DNIS,2,3) | lookup areacode.csv areacode as ac OUTPUT state 
| stats count(ac)  as ac by state | where ac>=500

Happy Splunking!

muzicman61 · ‎12-28-2018

Thank you... I was close but it kept giving me errors. I knew the solution would be simple.

Can you help me use the where command to limit results?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes