How to get a direct count of results which are ove...

mcram52 · ‎11-18-2019

I've set up the following search with a count of events based on specific time frames over a week span:

index=epackage flow_event=Package* containsAmendedReport="false"
| eval Time2 = strptime(strftime(_time,"%F"),"%F"),
   Quad = case(
    _time > (Time2 + (09*3600)) AND _time < (Time2 + (11*3600)),"1st",
    _time > (Time2 + (11*3600)) AND _time < (Time2 + (13*3600)),"2nd",
    _time > (Time2 + (13*3600)) AND _time < (Time2 + (15*3600)),"3rd",
     _time > (Time2 + (15*3600)) AND _time < (Time2 + (17*3600)),"4th")
| timechart span=1d sum(numberOfReports) as count by Quad

The results table then looks like this:

How might I go about getting a direct count of the instances where the result was over 300? I've tried using |stats dc but it hasn't been working and I'm not sure why. Any suggestions?

mayurr98 · ‎11-18-2019

Not sure what exactly is your query but are you trying to get this?

index=epackage flow_event=Package* containsAmendedReport="false" 
| eval Time2 = strptime(strftime(_time,"%F"),"%F"),
    Quad = case(
    _time > (Time2 + (09*3600)) AND _time < (Time2 + (11*3600)),"1st",
    _time > (Time2 + (11*3600)) AND _time < (Time2 + (13*3600)),"2nd",
    _time > (Time2 + (13*3600)) AND _time < (Time2 + (15*3600)),"3rd",
    _time > (Time2 + (15*3600)) AND _time < (Time2 + (17*3600)),"4th") 
| bin _time span=1d 
| stats sum(numberOfReports) as count by Quad 
| where count> 300 
| stats dc(Quad)

How to get a direct count of results which are over a certain amount?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?