How many people login with the same IP in the same...

RichPierre · ‎07-16-2014

Hi,

I have a problem with "stats count by" command.
I have login, ip and hour.
I want to know how many people have same ip in same hour.
I make that :

| stats values(login) AS login, count by hour,ip

I want that :
IP Login Hour
x.x.x.1 login1 hour1
login2
login3
But i have that:
x.x.x.1 login1 hour1
login2 hour1
x.x.x.1 login3 hour1
I don't know why i have that. . .
Ip/login/hour have the same format (they come from to csv).

I try to change hour to timestamp format but the result is the same.

Sincerely

somesoni2 · ‎07-17-2014

Check if there are any extra space in the values of ip or hour.

Suda · ‎07-16-2014

Hello,

I'm not sure why "login3" is in another group.

Could you try the following search commands?

your_search | stats values(login) values(hour) by ip
  OR
your_search | stats values(login) values(ip) by hour

You may find some reasons why you got your results which you don't expect.

And if you want to get the number of distinct users, I ask you to use "dc()" in stats.

| stats count dc(login) values(login) by ip, hour

Thank you.

somesoni2 · ‎07-16-2014

Try running this

|stats values(loging) as login, count(login) as count by hour,ip

How many people login with the same IP in the same hour using stats?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk