Solved: Count of values in from values() function

msmapper · ‎07-31-2013

hello there,

I am trying to create a search that will show me a list of ip's for logins. issue is i only want to see them if people logged from at least 2 ip's.

current search parms are

sourcetype=login LOGIN ip=* username=* |stats values(ip) AS IP_List by username

which works great by providing me

username IP_List
j@blah.com 1.2.3.4
b@duh.com 4.5.6.7
8.7.8.9
f@sigh.com 10.2.4.9

is there anyway to only show?

username IP_List count
b@duh.com 4.5.6.7 2
8.7.8.9

thanks in advance
jen

yannK · ‎07-31-2013

for the count of uniques values, use disctinct count dc(ip)
for count of all values, use count(ip)

see http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commonstatsfunctions

sourcetype=login LOGIN | stats values(ip) AS IP_List dc(ip) AS DISTINCT_IP by username

View solution in original post

yannK · ‎07-31-2013

for the count of uniques values, use disctinct count dc(ip)
for count of all values, use count(ip)

see http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commonstatsfunctions

sourcetype=login LOGIN | stats values(ip) AS IP_List dc(ip) AS DISTINCT_IP by username

cfernaca · ‎10-07-2019

Perfecto, muchas gracias !!

msmapper · ‎07-31-2013

absolutely perfect!! looks my main problem i was doing the dc(ip) as a separate stats statement when trying to get the count. I added a |where DISTINCT_IP > 1 to get exactly what i needed.

thanks again!

Jen

Count of values in from values() function

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]