user3916
Reputation: 191
Splunk conditional distinct count
I'm running a distinct count syntax, stats dc(src_ip) by, and it returns the number of distinct source IPs but I would like to create a conditional statement (eval?) that it should only return the stats if the count is greater than 50.
Tried something like this, but no joy. Any idea how to make a conditional distinct count where count has to be more than X?
stats dc(src_ip) | eval status=if(count>50) => doesn't work
Upvotes: 1
Views: 11017
Answers (1)
RichG
Reputation: 9906
The stats command will always return results (although sometimes they'll be null). You can, however, suppress results that meet your conditions.
stats dc(src_ip) as ip_count
| where ip_count > 50
Upvotes: 1
Related Questions
- Splunk query - Total or Count by field
- Output counts grouped by field values by for date in Splunk
- Count and sum in splunk
- Splunk - How to extract two fileds distinct count one field by the other field?
- Splunk: count by Id
- Splunk Query - Search unique exception from logs with counts
- Splunk query formulation for unique records as per specific fields
- Splunk Query - Compute stats by removing duplicates and custom query
- How to count specific value occurrences in the same field?
- Splunk Query Count of Count