Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter table results based on an aggregation of a column

3618475
Engager
‎06-02-2020 02:07 PM

I have this search that produces a table with has a column that lists the number of segments to a schedule. The table is shown belowalt text

I want to filter on the maximum number of segments (either 2 or 3). This is the query:

   ...search | table purchCostReference, eventType, Time, Segments, Carriers, BillingMethod, Origin, Destination, StopOffLocation |  stats max(Segments) as TotalSegments by purchCostReference, eventType | search TotalSegments = 2  |sort Time

I can use the max method to get the maximum number of segments and use the where to filter on the number of segments that I need but not all of the data is returned, only the columns that I used for the max function and I don't want the column TotalSegments displayed.

I want to return only the rows that have 2 segments and not have an additional column of TotalSegments.

Labels (2)
Labels
Preview file
1 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-02-2020 11:38 PM

Hi @3618475,
after your search you can use mvexpand to thansform a multivalue field in separated events so you can use the dc option in stats to count and filter the events with TotalSegments = 2, in othe words, something like this:

...search 
| stats max(Segments) as TotalSegments by purchCostReference, eventType 
| mvexpand TotalSegments 
| stats values(TotalSegments) as TotalSegments dc(TotalSegments) AS dc_TotalSegments by purchCostReference eventType 
| search dc_TotalSegments = 2

only two notes:

  • you don't need the table command before the first stats;

  • after a stats command, you have only the fields of your stats, so, in your example, Time isn't a field in your stats, so you cannot sort by it; if you want also Time, you have to add to the stats command also Time, using earliest or latest as option, something like this:

    ...search
    | stats max(Segments) as TotalSegments latest(Time) AS Time BY purchCostReference, eventType
    | mvexpand TotalSegments
    | stats values(TotalSegments) as TotalSegments dc(TotalSegments) AS dc_TotalSegments latest(Time) AS Time BY purchCostReference eventType
    | search dc_TotalSegments = 2

    | sort Time

Ciao.
Giuseppe

0 Karma
Reply

3618475
Engager
‎06-03-2020 04:42 AM

Thanks for your help.
I was not clear enough in my question.
I want the final output to be the table filtered on Segments of 2 or 3.
If the segments were filtered by Segments = 2, the output should look like the table columns above but with only 2 Segments.
Since the stats command reduces the fields, I probably cant use it

0 Karma
Reply

cboillot
Contributor
‎05-06-2021 10:12 AM

I know this has been awhile, but have you tried 

| search dc_TotalSegments = 2 OR dc_TotalSegments = 3

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...