topic Re: results greater then a stat's column in Splunk Search

results greater then a stat's column

brandonpal — Tue, 12 Aug 2014 20:57:38 GMT

Splunk big time NOOB here.

I'm trying to find IP's that are logging into our FTP server with more then one FTP User Name.

Here is my sarch string: index="ftp" client!="10...*" earliest=-24h | stats dc(FTPUser) by client | rename "dc(FTPUser)" AS "User"

The above works great and is showing me how many ftp accounts each ip is using.

Now I'd like to only see logins that are greater then 1. I tried adding | search FTPUser>1 but that does not work.

Any help would be greatly appreciated.

Thank you,

Brandon

Re: results greater then a stat's column

aelliott — Tue, 12 Aug 2014 21:02:17 GMT

| where User > 1

Re: results greater then a stat's column

martin_mueller — Tue, 12 Aug 2014 21:56:54 GMT

Appending that search command would have worked if you had used the same field name as in the rename command 😛

Re: results greater then a stat's column

brandonpal — Wed, 13 Aug 2014 00:36:59 GMT

That works great thank you. Is there a way I can get it to show me the User name's instead of a number. I know if I client the client ip it will show me usernames but any way to see it on my search screen?