Re: How to use stats count where OR stats count wh...

vwilson3 · ‎07-06-2018

Greetings,

I'm pretty new to Splunk. I have to create a search/alert and am having trouble with the syntax. This is what I'm trying to do:
index=myindex field1="AU" field2="L"
|stats count by field3 where count >5 OR count by field4 where count>2

Any help is greatly appreciated.

vwilson3 · ‎07-14-2018

Still working on this. Thank you for your suggestions!

woodcock · ‎07-15-2018

Be sure to UpVote helpful answers even if you can't Accept one of them.

vwilson3 · ‎07-16-2018

Thank you, woodcock! I appreciate the guidance. I hope I did it correctly.

woodcock · ‎07-08-2018

Maybe this:

index=myindex field1="AU" field2="L"
| fillnull value="N/A" field3 field4
|stats count BY field3 field4
| multireport
[ stats sum(count) AS f3count BY field3 | where f3count>5]
[ stats sum(count) AS f4count BY field4 | where f4count>2]

renjith_nair · ‎07-08-2018

Hi @vwilson3,

Probably you are looking for something similar?

index=myindex field1="AU" field2="L"
|stats dc(field3) as field3,dc(field4) as field4 |where (field3>5 OR field4>2)

---
What goes around comes around. If it helps, hit it with Karma 🙂

richgalloway · ‎07-07-2018

The stats command does not have a where clause and only has a single by clause.

What are you trying to accomplish with your sample query? Once you explain what results you want to get, we may be able to help you get them.

---
If this reply helps you, Karma would be appreciated.

vwilson3 · ‎07-10-2018

I am trying to find events that match field1 and field2, and match field3 if there are more than 5 or match field4 if there are more than 2.

Thanks for the info.

How to use stats count where OR stats count where on different fields?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases