https://community.splunk.com/t5/Splunk-Search/How-to-display-iplocation-info-for-all-values-in-the-IP-address/m-p/218733#M64294 <P>Well, eventstats will let you keep track of how many unique IPs are seen per username so you can sort on that:</P> <PRE><CODE>index=abc username!="xyz" | eventstats dc(src_ip) AS ip_count by username | dedup username,src_ip | table username,src_ip,ip_count | sort -ip_count,-username | iplocation src_ip </CODE></PRE> <P>The problem is that you're not going to get the nice cell merging effect that stats values() gives you; mvcombine can sometimes help out here but I'm not sure it will work in this case. This comment might help if you really only want to see the same username once in your results: <A href="https://answers.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table.html#comment-25144">https://answers.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table.html#comment-25144</A></P> Thu, 23 Jun 2016 23:36:04 GMT jtacy 2016-06-23T23:36:04Z https://community.splunk.com/t5/Splunk-Search/How-to-display-iplocation-info-for-all-values-in-the-IP-address/m-p/218732#M64293 <P>So my search query gives me the IP addresses pertaining to a user field in the following manner:</P> <P>index=abc | stats values(src_ip) by username | where username!="xyz" | iplocation values(ipaddress)</P> <P>But the problem is that if a username has more than 1 IP address associated with it, it is skipped over in iplocation, that is, we have no resolution for IP to location mapping in those instances. For example:</P> <P><CODE>username values(ipaddress) city country<BR /> abcxyz 123.456.78.90 amazingcity amazingcountry<BR /> xyzabc 122.333.444.56<BR /> 234.456.333.444</CODE></P> <P>As you can see, the second user has multiple IP addresses associated with it and so <CODE>iplocation</CODE> just skips over it. How can I modify this query so that it resolves IP address for users with multiple IP addresses. Additionally, I would like to sort the results such that the users with the most IP addresses associated with them show up first.</P> Thu, 23 Jun 2016 21:09:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-iplocation-info-for-all-values-in-the-IP-address/m-p/218732#M64293 umichguy 2016-06-23T21:09:56Z https://community.splunk.com/t5/Splunk-Search/How-to-display-iplocation-info-for-all-values-in-the-IP-address/m-p/218733#M64294 <P>Well, eventstats will let you keep track of how many unique IPs are seen per username so you can sort on that:</P> <PRE><CODE>index=abc username!="xyz" | eventstats dc(src_ip) AS ip_count by username | dedup username,src_ip | table username,src_ip,ip_count | sort -ip_count,-username | iplocation src_ip </CODE></PRE> <P>The problem is that you're not going to get the nice cell merging effect that stats values() gives you; mvcombine can sometimes help out here but I'm not sure it will work in this case. This comment might help if you really only want to see the same username once in your results: <A href="https://answers.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table.html#comment-25144">https://answers.splunk.com/answers/25102/question-regarding-grouping-of-results-into-a-table.html#comment-25144</A></P> Thu, 23 Jun 2016 23:36:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-iplocation-info-for-all-values-in-the-IP-address/m-p/218733#M64294 jtacy 2016-06-23T23:36:04Z