https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634566#M220449 <P>Hi! im working on an alert for access from different countries for certain users in a short time period. The alert and the search works fine but i will like to show more info when the alert triggers (source ip and time).</P> <P>&nbsp;</P> <P>Here a sample of the event:</P> <P>09:09:55,377 INFO [XX.XXX.XXXXXXX.cbapi.dao.login.LoginDAOImpl] (default task-34878) Enviamos parámetros: [authTipoPassword=E, authDato=4249929, authTipoDato=D, nroDocEmpresa=80097256-2, tipoDocEmpresa=D, authCodCanal=999, authIP=45.170.128.191, esDealer=N, dispositivoID=40ee57e1-e5eb-4b14-b7ef-9f0f8ccdf6c</P> <P>2, dispositivoOS=null ]</P> <P>Here the search:</P> <P>index="XXXX" host="XXX.XXX.-*" sourcetype=XXXXXXCBAPI*&nbsp; authDato authIP dao.login.LoginDAOImpl authIP=* authCodCanal=999 | iplocation authIP | eval Country = if(isnull(Country) OR Country="", "Unknown", Country) | stats<BR />dc(Country) AS count<BR />values(Country) AS country values(authIP) as authIP<BR />latest(_time) AS latest<BR />BY authDato | where count &gt; 1 | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | sort - latest</P> <P>With this i get a result like this:</P> <P>authdato | count | Country | authIP | latest</P> <P>2363494 | 2 |&nbsp; &nbsp;Argentina |&nbsp;170.51.250.39 |&nbsp;2023-03-15 09:09:09</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Paraguay |&nbsp;170.51.55.186<BR /><BR />the thing is.. the ip address aren't aligned with the country for that ip, neither the time is aligned with the last Country or ip address.<BR /><BR /></P> <P>Ive tried several things but still can't figure out how to correctly present the results (in the right order i mean)</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Mar 2023 18:35:23 GMT dieguiariel 2023-03-15T18:35:23Z https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634566#M220449 <P>Hi! im working on an alert for access from different countries for certain users in a short time period. The alert and the search works fine but i will like to show more info when the alert triggers (source ip and time).</P> <P>&nbsp;</P> <P>Here a sample of the event:</P> <P>09:09:55,377 INFO [XX.XXX.XXXXXXX.cbapi.dao.login.LoginDAOImpl] (default task-34878) Enviamos parámetros: [authTipoPassword=E, authDato=4249929, authTipoDato=D, nroDocEmpresa=80097256-2, tipoDocEmpresa=D, authCodCanal=999, authIP=45.170.128.191, esDealer=N, dispositivoID=40ee57e1-e5eb-4b14-b7ef-9f0f8ccdf6c</P> <P>2, dispositivoOS=null ]</P> <P>Here the search:</P> <P>index="XXXX" host="XXX.XXX.-*" sourcetype=XXXXXXCBAPI*&nbsp; authDato authIP dao.login.LoginDAOImpl authIP=* authCodCanal=999 | iplocation authIP | eval Country = if(isnull(Country) OR Country="", "Unknown", Country) | stats<BR />dc(Country) AS count<BR />values(Country) AS country values(authIP) as authIP<BR />latest(_time) AS latest<BR />BY authDato | where count &gt; 1 | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | sort - latest</P> <P>With this i get a result like this:</P> <P>authdato | count | Country | authIP | latest</P> <P>2363494 | 2 |&nbsp; &nbsp;Argentina |&nbsp;170.51.250.39 |&nbsp;2023-03-15 09:09:09</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Paraguay |&nbsp;170.51.55.186<BR /><BR />the thing is.. the ip address aren't aligned with the country for that ip, neither the time is aligned with the last Country or ip address.<BR /><BR /></P> <P>Ive tried several things but still can't figure out how to correctly present the results (in the right order i mean)</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Mar 2023 18:35:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634566#M220449 dieguiariel 2023-03-15T18:35:23Z https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634571#M220451 <P>The <FONT face="courier new,courier">values</FONT> function returns unique values of a field in alphabetical order.&nbsp; You can't change that.</P><P>Try the <FONT face="courier new,courier">list</FONT> function, instead, which return all values in the order they were found.&nbsp; Only 100 values are returned, however.</P> Wed, 15 Mar 2023 12:43:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634571#M220451 richgalloway 2023-03-15T12:43:17Z https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634572#M220452 <P>Use list() rather than values() - values() will put the values in (lexicographical) order and removes duplicates, whereas list() maintains the order and duplicates.</P> Wed, 15 Mar 2023 12:43:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634572#M220452 ITWhisperer 2023-03-15T12:43:24Z https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634579#M220453 <P>Hi! thank yoy both for the answer, it worked with list!&nbsp;</P> Wed, 15 Mar 2023 13:02:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-it-showing-more-data-after-dc-count-with-the-right-order/m-p/634579#M220453 dieguiariel 2023-03-15T13:02:08Z