Search code examples
splunksplunk-query

How to put conditional output like arthmemetic , value o/p should be greater than = 30k and less that = 30 k

enter image description hereenter image description heresourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time |chart max(value) count by _time FROM_IP limit=0

Solution

  • You can use stats command instead of chart. That will give you a count column

    sourcetype=xxxxx "connection from 17.129.249.164" OR "connection from 17.208.230.209" OR "connection from 10.41.84.33" OR "connection from 10.41.158.214" OR "connection from 10.41.88.162" OR "connection from 10.41.157.80" OR "connection from 10.41.88.198" OR "connection from 17.208.225.42" OR "connection from 10.41.92.81" OR "connection from 10.41.92.237" | rex field=_raw "connection from (?\d+.\d+.\d+.\d+):"| bin span=1d _time | stats count by _time FROM_IP | where count > 30000 AND count < 30000