Solved: Grouping by user, count by number of countries

n_young · ‎10-23-2015

Using splunk to look at some auth data, and want to get search results that show the number of countries each user has logged in from.

I've gotten as far as adding the iplocation information into the search results, and even getting the reverse of what i want (number of users who have logged into each country), but when i try to do something like a "stats count by Country" it throws an error of: "Error in 'stats' command: The argument 'Country' is invalid."

Any suggestions? Here's the basics of the search so far:

... | iplocation clientLoginIp | stats count values(username) by Country | sort by count DESC

What am i missing?

martin_mueller · ‎10-23-2015

To get the number of countries a user has authenticated from you'll need to juggle your stats around a bit:

... | stats dc(County) by username

That'll give you the distinct count of country values for each user.

View solution in original post

martin_mueller · ‎10-23-2015

To get the number of countries a user has authenticated from you'll need to juggle your stats around a bit:

... | stats dc(County) by username

That'll give you the distinct count of country values for each user.

n_young · ‎10-26-2015

That worked perfectly. Thanks. I figured i was just missing something for the Country parameter.

Grouping by user, count by number of countries

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...