Solved: Re: Count of values in from values() function

msmapper · ‎07-31-2013

hello there,

I am trying to create a search that will show me a list of ip's for logins. issue is i only want to see them if people logged from at least 2 ip's.

current search parms are

sourcetype=login LOGIN ip=* username=* |stats values(ip) AS IP_List by username

which works great by providing me

username IP_List
j@blah.com 1.2.3.4
b@duh.com 4.5.6.7
8.7.8.9
f@sigh.com 10.2.4.9

is there anyway to only show?

username IP_List count
b@duh.com 4.5.6.7 2
8.7.8.9

thanks in advance
jen

yannK · ‎07-31-2013

for the count of uniques values, use disctinct count dc(ip)
for count of all values, use count(ip)

see http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commonstatsfunctions

sourcetype=login LOGIN | stats values(ip) AS IP_List dc(ip) AS DISTINCT_IP by username

View solution in original post

yannK · ‎07-31-2013

for the count of uniques values, use disctinct count dc(ip)
for count of all values, use count(ip)

see http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commonstatsfunctions

sourcetype=login LOGIN | stats values(ip) AS IP_List dc(ip) AS DISTINCT_IP by username

cfernaca · ‎10-07-2019

Perfecto, muchas gracias !!

msmapper · ‎07-31-2013

absolutely perfect!! looks my main problem i was doing the dc(ip) as a separate stats statement when trying to get the count. I added a |where DISTINCT_IP > 1 to get exactly what i needed.

thanks again!

Jen

Count of values in from values() function

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation