Solved: Find values for specific distinct counts

mztopp · ‎02-08-2021

Hello all!

I was hoping to take a distinct count and show either the count, or if the count is 1, show the value that is being counted. For example, index=random | stats dc(src_port) AS port_count count by src_ip would populate:

src_ip | port_count

-----------------------------------------------------

1.2.3.4 6

2.3.4.5 (1) Port 443

3.4.5.6 4

Or something to this effect. Thanks!

richgalloway · ‎02-08-2021

There may be a few ways to do that. Here's one.

index=random 
| stats values(src_port) AS ports count by src_ip 
| eval port_count = if(mvcount(ports)==1,"(1) Port " . mvindex(ports,0), mvcount(ports))

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-08-2021

There may be a few ways to do that. Here's one.

index=random 
| stats values(src_port) AS ports count by src_ip 
| eval port_count = if(mvcount(ports)==1,"(1) Port " . mvindex(ports,0), mvcount(ports))

---
If this reply helps you, Karma would be appreciated.

mztopp · ‎02-11-2021

Thank you!

Find values for specific distinct counts

eval

fields

stats

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation