https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453617#M128362 <P>Hi @jdhavo,</P> <P>The stats command <CODE>dc</CODE> gives the distinct count as shown here : <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats</A></P> <P>If you want the list of unique IP addresses you can use the <CODE>values</CODE> stats command. And if you want you can have both : </P> <PRE><CODE>splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip) as src_ip dc(src_ip) as distinctCountIP </CODE></PRE> <P>Note that values puts everything in the same block so you can use <CODE>mvexpand</CODE> command to split the results out into multiple lines.</P> <P>In either case make sure the src_ip field exists or you won't be able to run anything <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Cheers,<BR /> David </P> Mon, 13 May 2019 18:49:17 GMT DavidHourani 2019-05-13T18:49:17Z https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453614#M128359 <P>It seems like something that has been answered before but i have been unable to find the answer.<BR /> Is it possible to run a query that provides unique IP source addresses when searching for a particular string?<BR /> I've tried this however i'm not having any success:</P> <PRE><CODE>splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats dc(src_ip) </CODE></PRE> <P>Would be particularly helpful if a portion of the IP (Host, Network) could be queried.</P> Mon, 13 May 2019 11:43:05 GMT https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453614#M128359 jdhavo 2019-05-13T11:43:05Z https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453615#M128360 <P>Does your Splunk data contains IP address in them?</P> Mon, 13 May 2019 13:28:02 GMT https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453615#M128360 somesoni2 2019-05-13T13:28:02Z https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453616#M128361 <P>The query you have right now simply returns the <STRONG>number</STRONG> of unique IP addresses. If you want the actual list of unique addresses, try this:</P> <PRE><CODE>splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip) </CODE></PRE> <P>Or:</P> <PRE><CODE>splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats count by src_ip </CODE></PRE> <P>To also get the number of events for each unique address.</P> Mon, 13 May 2019 15:02:19 GMT https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453616#M128361 FrankVl 2019-05-13T15:02:19Z https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453617#M128362 <P>Hi @jdhavo,</P> <P>The stats command <CODE>dc</CODE> gives the distinct count as shown here : <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Stats</A></P> <P>If you want the list of unique IP addresses you can use the <CODE>values</CODE> stats command. And if you want you can have both : </P> <PRE><CODE>splunk_server=* index="mysiteindes" host=NXR4RIET313 SCRAPY | stats values(src_ip) as src_ip dc(src_ip) as distinctCountIP </CODE></PRE> <P>Note that values puts everything in the same block so you can use <CODE>mvexpand</CODE> command to split the results out into multiple lines.</P> <P>In either case make sure the src_ip field exists or you won't be able to run anything <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Cheers,<BR /> David </P> Mon, 13 May 2019 18:49:17 GMT https://community.splunk.com/t5/Splunk-Search/Unique-IP-count/m-p/453617#M128362 DavidHourani 2019-05-13T18:49:17Z