I'm running a distinct count syntax, stats dc(src_ip) by, and it returns the number of distinct source IPs but I would like to create a conditional statement (eval?) that it should only return the stats if the count is greater than 50.
Tried something like this, but no joy. Any idea how to make a conditional distinct count where count has to be more than X?
stats dc(src_ip) | eval status=if(count>50) => doesn't work
The
statscommand will always return results (although sometimes they'll be null). You can, however, suppress results that meet your conditions.