How to create search to return rows in table based...

johnsasikumar · ‎04-22-2019

I have a splunk query that forms table like this

Time    Type    Msg
10/1/2019 0:00  1   xyz
10/2/2019 0:00  2   xyz
10/3/2019 0:00  3   xyz
10/4/2019 0:00  4   xyz
10/5/2019 0:00  1   xyz
10/6/2019 0:00  1   xyz
10/7/2019 0:00  2   xyz
10/8/2019 0:00  2   xyz
10/9/2019 0:00  3   xyz
10/10/2019 0:00 3   xyz
10/11/2019 0:00 4   xyz
10/12/2019 0:00 3   xyz

How do i retain only the rows in the table where the count(type) is <3. So in this case i want the rows with type 4 to be removed because the count of events is less than 3.

VatsalJagani · ‎04-22-2019

Hi @johnsansikumar,
Please append below query after your existing query. (If you want to keep Type which has count less than 3, change where condition otherwise)

| eventstats count by Type | where count<3

Hope this helps!!

How to create search to return rows in table based on count?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...