Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Count 2 fields in single query

Pmeiring
Explorer
‎10-09-2020 04:55 AM

Hi All, 

I need assistance with counting two fields in a single query. I'm trying modify an existing alert, to exclude white noise.  I'm trying to achieve the following, if a country count is more than 10, or an Username field is more than 5, they should be excluded.

The query compiles but no data is presented, I suspect the stats count usage is inaccurate. 

Example of Query - what I'm trying to achieve 

source="**********.log" "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now
| iplocation src_ip
| stats count as Country_Count by Country , count as Username_Count by User_Name
| where (Username_Count < 5 OR Country_Count < 10)

Output of Data - Country 

Country                 Country_count
United States      8
Eswatini                 9
Russia                     1
Mozambique        1
Netherlands         1
Zambia                   6

Output of Data - Username

User_Name                                                        Username_Count
abc@domain.com                                           1
abc2@domain.com                                        1
abc3@domain.com                                        1
abc4@domain.com                                        4
abc5@domain.com                                        1
abc6@domain.com                                        2

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 06:55 AM 
source="**********.log" "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now
| iplocation src_ip
| stats count by Country, User_Name
| eventstats sum(count) as Country_Count by Country
| eventstats sum(count) as Username_Count by User_Name
| where (Username_Count <= 5 AND Country_Count <= 10)

Your description say you want to exclude where either country count is more than 10 or if username count is more than 5, which means include when username count <= 5 and country count <= 10

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-09-2020 06:55 AM 
source="**********.log" "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now
| iplocation src_ip
| stats count by Country, User_Name
| eventstats sum(count) as Country_Count by Country
| eventstats sum(count) as Username_Count by User_Name
| where (Username_Count <= 5 AND Country_Count <= 10)

Your description say you want to exclude where either country count is more than 10 or if username count is more than 5, which means include when username count <= 5 and country count <= 10

0 Karma
Reply
Solved! Jump to solution

Pmeiring
Explorer
‎10-09-2020 07:06 AM

Thanks ITWhisperer

Exactly what I was looking for.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-09-2020 06:04 AM

The stats command can only have a single by clause.  Have you tried this query?

source="**********.log" "NOTICE Passed-Authentication: Authentication succeeded" earliest=-30d@d latest=now
| iplocation src_ip
| stats count(Country) as Country_Count, count(User_Name) as Username_Count
| where (Username_Count < 5 OR Country_Count < 10)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Pmeiring
Explorer
‎10-09-2020 06:17 AM

Hi Richgalloway, 

I've tried the "stats count(Country)" but not data is displayed under statistics. 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...