Hi all,
I am having trouble displaying search results when I specify that the returned results must be greater than six in the specified time period.
I have looked at:
http://answers.splunk.com/answers/70433/display-results-only-above-certain-number
The query I have works until I use the stats command to perform counting. Its been a long day so it will most likely be something simple but I just can't see it yet, so here goes:
"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+"
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)"
| eval GEN_ERR=mvappend (CONN_ERR,"",SSL_ERR)
| eval URL_OR_APP=mvappend (URL_ID,"",APP_ID)
| fillnull value=N/A
| table host, GEN_ERR, IP_PORT, URL_OR_APP
This query returns a fully populated table with nine "timed out" errors and eleven "SSL" errors in my test time frame.
If I try to
stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
| table host, GEN_ERR, IP_PORT, URL_OR_APP
The table then becomes a little bit of a mess with what appears to be (from the count displayed) duplicates with blank fields and then also the fully populated returns on separate lines.
Where did I go wrong?