I want to exclude CompletedConnections with a value of 0 in the below string.
sourcetype ______________ | stats count(eval(connStatus=="CLIENT_ACCEPTED")) as ConnectionAttempt, count(eval(connStatus=="SERVER_CONNECTED")) as CompletedConnections by field1 field2 field3
I have attempted to add:
| where count>0
| where CompletedConnections > 0
| where NOT CompletedConnections="0"
The search does not spit out errors, but I am not getting any statistical results with the added where commands.
1. How can I exclude CompletedConnections with a 0 value?
2. Is there a better way to perform the stats command to exclude 0 values?
↧