Solved: How do i get a count of each value of a field, and...

ezmo1982 · ‎03-16-2021

Hi,

I have the below SPL which gets the count of each value of the field named "subject". I want to be able to select the values whose count is greater than 5. For example, if the search below returned 10 results, but only 2 had a count greater than 5, how can I pick those two values out and store them in new fields that i can reference after.

index=email_log RejType="Virus Signature Detection" | stats count by subject

Thanks!

peter_krammer · ‎03-16-2021

So you want to filter to only the subjects that have a count greater than 5?

index=email_log RejType="Virus Signature Detection"
| stats count by subject
| where count>5

View solution in original post

ezmo1982 · ‎03-22-2021

Actually there was no need for me to store the values in a new field. Thanks

peter_krammer · ‎03-16-2021

So you want to filter to only the subjects that have a count greater than 5?

index=email_log RejType="Virus Signature Detection"
| stats count by subject
| where count>5

somesoni2 · ‎03-16-2021

@ezmo1982 , Above search should give you first half or your requirement (filtering fields values whose count>5). For 2nd requirement (saving to a new field), please provide more information on what you intend to do with these values.

How do i get a count of each value of a field, and then extract the values whose count matches a certain number

count

stats

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms