https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601279#M209273 <P>Hi Guys,</P> <P>I already have a query below that gives me a table similar to the one on bottom.&nbsp; I was wondering if there is a way to get it to display results when count of IP Address is exactly 2?&nbsp; &nbsp;</P> <P>Meaning show results when IP address = 2 otherwise dont show it.&nbsp; So 3rd entry should not show but first two should.&nbsp;&nbsp;</P> <P>Please let me know if any ideas.&nbsp; Appreciate your helps in advance.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>index=EventLog source=security EventCode=4771<BR />| stats count values(source) AS IP_Address BY Account_Name EventID Message<BR />| where count &gt; 20</P> <P>&nbsp;</P> <TABLE width="872"> <TBODY> <TR> <TD width="138">Account_Name</TD> <TD width="107">EventID</TD> <TD width="286">Message</TD> <TD width="137">Count</TD> <TD width="204">IP Address</TD> </TR> <TR> <TD>SmithA</TD> <TD>4771</TD> <TD>Kerberos pre-authentication failed</TD> <TD>5000</TD> <TD width="204">1.1.1.1<BR />2.2.2.2</TD> </TR> <TR> <TD>JohnsonX</TD> <TD>4771</TD> <TD>Kerberos pre-authentication failed</TD> <TD>6000</TD> <TD width="204">3.3.3.3<BR />4.4.4.4</TD> </TR> <TR> <TD>washingtonZ</TD> <TD>4771</TD> <TD>Kerberos pre-authentication failed</TD> <TD>7000</TD> <TD>5.5.5.5</TD> </TR> </TBODY> </TABLE> Fri, 10 Jun 2022 04:51:43 GMT aikn061 2022-06-10T04:51:43Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601279#M209273 <P>Hi Guys,</P> <P>I already have a query below that gives me a table similar to the one on bottom.&nbsp; I was wondering if there is a way to get it to display results when count of IP Address is exactly 2?&nbsp; &nbsp;</P> <P>Meaning show results when IP address = 2 otherwise dont show it.&nbsp; So 3rd entry should not show but first two should.&nbsp;&nbsp;</P> <P>Please let me know if any ideas.&nbsp; Appreciate your helps in advance.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>index=EventLog source=security EventCode=4771<BR />| stats count values(source) AS IP_Address BY Account_Name EventID Message<BR />| where count &gt; 20</P> <P>&nbsp;</P> <TABLE width="872"> <TBODY> <TR> <TD width="138">Account_Name</TD> <TD width="107">EventID</TD> <TD width="286">Message</TD> <TD width="137">Count</TD> <TD width="204">IP Address</TD> </TR> <TR> <TD>SmithA</TD> <TD>4771</TD> <TD>Kerberos pre-authentication failed</TD> <TD>5000</TD> <TD width="204">1.1.1.1<BR />2.2.2.2</TD> </TR> <TR> <TD>JohnsonX</TD> <TD>4771</TD> <TD>Kerberos pre-authentication failed</TD> <TD>6000</TD> <TD width="204">3.3.3.3<BR />4.4.4.4</TD> </TR> <TR> <TD>washingtonZ</TD> <TD>4771</TD> <TD>Kerberos pre-authentication failed</TD> <TD>7000</TD> <TD>5.5.5.5</TD> </TR> </TBODY> </TABLE> Fri, 10 Jun 2022 04:51:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601279#M209273 aikn061 2022-06-10T04:51:43Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601284#M209277 <P>Use the <FONT face="courier new,courier">mvcount</FONT> function to find the number of IP addresses.</P><LI-CODE lang="markup">index=EventLog source=security EventCode=4771 | stats count values(source) AS IP_Address BY Account_Name EventID Message | where (count &gt; 20 AND mvcount(IP_Address)=2)</LI-CODE><P>&nbsp;</P> Fri, 10 Jun 2022 00:32:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601284#M209277 richgalloway 2022-06-10T00:32:36Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601286#M209279 <P>Thank you!&nbsp; Worked like a charm.</P> Fri, 10 Jun 2022 00:40:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-to-get-it-to-display-results-when-count/m-p/601286#M209279 aikn061 2022-06-10T00:40:26Z