https://community.splunk.com/t5/Splunk-Search/Stats-count-question/m-p/481877#M193129 <P>I have a requirement to find whether multiple users from the same source IP failed authentication for example. My test case is as follows:</P> <P>I have an external IP address ==&gt; 1.2.3.4<BR /> I have 3 users for example ==&gt; User1, User2, User3</P> <P>User1, User2 and User3 would normally have their own IP addresses that they log in with. My requirement is to see if all 3 users are coming from the same external IP address</P> <P>Based on this I created the following search</P> <P>index=inboundconns event="login found" | stats values(user) as user, count(user) as count by src</P> <P>This gives me a table as follows (src 1.2.3.4 shows 3 users with a count of 3)</P> <P>src | user | count<BR /> 9.8.7.6 | user6 | 1<BR /> 6.5.4.3 | user 88 | 2<BR /> 1.2.3.4 | User 1 | 3<BR /> | User 2<BR /> | User 3</P> <P>I then try and expand on the search to pick up on the "1.2.3.4" address and omit the "6.5.4.3" address. This is because "6.5.4.3" is only a single user from a single IP address.</P> <P>I extend my query as follows</P> <P>index=inboundconns event="login found" | stats values(user) as user, count(user) as count by src | where count &gt; 1</P> <P>This query then removes the first row in the able which is expected. However I need to be able to enhance this by doing the count by user and not by "count". So "where the user count &gt; 1 for a specific or distinct src" show this and omit all else. </P> Tue, 17 Sep 2019 02:35:53 GMT willadams 2019-09-17T02:35:53Z https://community.splunk.com/t5/Splunk-Search/Stats-count-question/m-p/481877#M193129 <P>I have a requirement to find whether multiple users from the same source IP failed authentication for example. My test case is as follows:</P> <P>I have an external IP address ==&gt; 1.2.3.4<BR /> I have 3 users for example ==&gt; User1, User2, User3</P> <P>User1, User2 and User3 would normally have their own IP addresses that they log in with. My requirement is to see if all 3 users are coming from the same external IP address</P> <P>Based on this I created the following search</P> <P>index=inboundconns event="login found" | stats values(user) as user, count(user) as count by src</P> <P>This gives me a table as follows (src 1.2.3.4 shows 3 users with a count of 3)</P> <P>src | user | count<BR /> 9.8.7.6 | user6 | 1<BR /> 6.5.4.3 | user 88 | 2<BR /> 1.2.3.4 | User 1 | 3<BR /> | User 2<BR /> | User 3</P> <P>I then try and expand on the search to pick up on the "1.2.3.4" address and omit the "6.5.4.3" address. This is because "6.5.4.3" is only a single user from a single IP address.</P> <P>I extend my query as follows</P> <P>index=inboundconns event="login found" | stats values(user) as user, count(user) as count by src | where count &gt; 1</P> <P>This query then removes the first row in the able which is expected. However I need to be able to enhance this by doing the count by user and not by "count". So "where the user count &gt; 1 for a specific or distinct src" show this and omit all else. </P> Tue, 17 Sep 2019 02:35:53 GMT https://community.splunk.com/t5/Splunk-Search/Stats-count-question/m-p/481877#M193129 willadams 2019-09-17T02:35:53Z https://community.splunk.com/t5/Splunk-Search/Stats-count-question/m-p/481878#M193130 <P>@willadams,</P> <P>Try <CODE>dc</CODE> or <CODE>distinct_count</CODE></P> <PRE><CODE>index=inboundconns event="login found" | stats values(user) as user,dc(user) as count by src|where count &gt;1 </CODE></PRE> Tue, 17 Sep 2019 13:28:53 GMT https://community.splunk.com/t5/Splunk-Search/Stats-count-question/m-p/481878#M193130 renjith_nair 2019-09-17T13:28:53Z