I am trying to create a search that will show me a list of ip's for logins. issue is i only want to see them if people logged from at least 2 ip's.
current search parms are
sourcetype=login LOGIN ip=* username=* |stats values(ip) AS IP_List by username
which works great by providing me
is there anyway to only show?
username IP_List count
email@example.com 126.96.36.199 2
thanks in advance
for the count of uniques values, use disctinct count dc(ip)
for count of all values, use count(ip)
| stats values(ip) AS IP_List dc(ip) AS DISTINCT_IP by username
View solution in original post
Perfecto, muchas gracias !!
absolutely perfect!! looks my main problem i was doing the dc(ip) as a separate stats statement when trying to get the count. I added a |where DISTINCT_IP > 1 to get exactly what i needed.