Solved: Using where in search

balcv · ‎09-12-2019

I have the following search

index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) 
| chart count by src_location,action

This results in a nice stacked column chart showing actions (allowed & blocked) per src_location.
What I need to do is only show those src_locations where the total count (allowed + blocked) is greater than a specific value (eg totalCount >= 500).

I have tried using separate stats count by [field] as [name] statements then using eval to add them together but I can't get the results I'm wanting which is the stacked column graph by src_location showing allowed & blocked.

Any suggestions greatly appreciated.

renjith_nair · ‎09-12-2019

@balcv ,

Try

index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) 
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount

Happy Splunking!

View solution in original post

renjith_nair · ‎09-12-2019

@balcv ,

Try

index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" ) 
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount

Happy Splunking!

balcv · ‎09-12-2019

Awesome. Thanks for that @renjith.nair

Using where in search

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk