Here is my current query:
index=abc* |stats count by user,date |eval highcount=(if count >=1000,1000,count)
This gives me output like this:
user1 200 200
user2 34 34
user3 1200 1000 --> I want to stop counting for this user once high count reaches 1000 and continue counting other users as it finds.
Thanks
Like this:
index=abc*
| stats count BY user date
| eval count = min(1000, count)
Like this:
index=abc*
| stats count BY user date
| eval count = min(1000, count)
Yes please ,Yes please.
First of all, what is the purpose and duration of the search?(Do you want to count the number of users?)
Please provide a sample log.
How many items are you searching for?
I think I figured:
index=abc* |stats count by user,date |eval count=(if count >=1000,1000,count)
Is there a better way to do this?
Do you want to reduce search time?
Splunk basically searches for search criteria within the search period.