Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find the multiple IP sources per user?

nazanin2016
Path Finder
‎12-28-2016 03:16 PM

Hi I am trying to filter my search by user name and Ip.I used the simple command
(mysearch)|table src_user,src_ip , it gives me some values of ip per user
but when I do the search as :
(mysearch)|stats count by src_user,src_ip it gives me all the values of ip per user.
My question is that why they both don't give me the same result for ip source? why table command miss some of the ips?
Thanks

Tags (1)
0 Karma
Reply

gokadroid
Motivator
‎12-28-2016 11:11 PM

To answer this part of the question My question is that why they both don't give me the same result for ip source? why table command miss some of the ips?; can you please check if the data is not on the "other pages" (see the numbers 1,2,3 >> at the bottom) and what you are viewing is the first page of the paginated table data. Try sorting for a user or ip to see if you find the data.

There should not be any reason why table command should miss any of the user and ips combination which stats command is aggregating. One way to check if both commands are giving the same data is finding for a single user and ip combination like:

Query 1

your base search
| table src_user,src_ip
| where src_user="anyUserValue"  AND src_ip="IPwhichExistsForUser"

Query 2

your base search
| stats count by src_user,src_ip
| where src_user="anyUserValue"  AND src_ip="IPwhichExistsForUser"

The count in second query should equal to the number of lines which appear in table given by first query.

Reply

niketn
Legend
‎12-28-2016 10:52 PM

Table will list all src_user and src_ip values. Only difference is that stats command counts such occurrences and aggregates the result.

You can validate whether the number of results for the following two commands are same or not. 

<Your Base Search> | dedup src_user, src_ip | sort src_user, src_ip | table src_user, src_ip 

<Your Base Search> | stats count by src_user,src_ip | sort src_user, src_ip
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...