FAQ: How do I use test() to do field evaluations?

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

Page was created:26 Mar 2024

Similar to where in Splunk, you can use groupBy() and test() to check one field value against another. In this example, we want to see if a username has completed more than 25 logons in a given search window:

logscale

#event_simpleName=UserLogon
| groupBy(UserName, function=(count(aid, as=totalLogons)))
| test(totalLogons > 25)

Knowledge Base

FAQ: How do I use test() to do field evaluations?

Enter search term