Solved: timechart suppress values lower then x

ndcl · ‎03-05-2012

Hi Base,
I just run into a problem and I can´t solve it by my own. So, maybe someone here can bring me back on track:

I build a timechart of a windows sec log: …| timechart span=30m count(TaskCategory) by Accountname fine so far. Now I want to suppress all results f.e. which are less than 50 but how?
where count >50 won´t work.

Thanks!

Stephen_Sorkin · ‎03-05-2012

This is somewhat tricky. Once the data has left timechart, the values are assigned to fields named by the values of "Accountname".

We have to preprocess the data and make sure that timechart doesn't get the undesired values to begin with.

... | bin span=30m _time
| stats count(TaskCategory) as TaskCategoryCount by _time, Accountname
| where TaskCategoryCount < 50
| timechart span=30m sum(TaskCategoryCount) as TaskCategoryCount by Accountname

View solution in original post

Stephen_Sorkin · ‎03-05-2012

This is somewhat tricky. Once the data has left timechart, the values are assigned to fields named by the values of "Accountname".

We have to preprocess the data and make sure that timechart doesn't get the undesired values to begin with.

... | bin span=30m _time
| stats count(TaskCategory) as TaskCategoryCount by _time, Accountname
| where TaskCategoryCount < 50
| timechart span=30m sum(TaskCategoryCount) as TaskCategoryCount by Accountname

ndcl · ‎03-06-2012

Thanks! This works fine for me!

timechart suppress values lower then x

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk