Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to list only distinct values from the listed results?

rakeshyv0807
Explorer
‎03-27-2018 10:32 AM

Hi I have a query which runs and results me the list of Ip's in a table format grouped by username.

In my table of results there might be different IP's for the same username which are listed down in the single IP cell. Please find below the example of my result table:

Username-------------------------------------------Ipaddress------------------------application---------------------------city-----------------------------country
1) abcd--------------------------------------------------123.123.123.12---------------------xyz---------------------------------asdf-----------------------------zxcvb
123.123.123.12 xyz asdf zxcvb
234.456.677.22 ghj ghjk fghjk

2) dfgh--------------------------------------------------234.123.12.345----------------------ssss------------------------------dfggh----------------------------ghjhjkk

As shown above for one username there will be list of ip's and corresponding city and country info are displayed. What i want to achieve here is that I need to display only distinct ip's for each username. How can I do it?

To display my results in above table I am using the following search:

mysearch
| iplocation clientip1
| streamstats count as occuranceCount list(clientip1) as client_IP, list(applicationid) as application list(Country) as Country, list(City) as City by subject
| sort - occuranceCount
| dedup subject
| table subject occuranceCount client_IP connectionid City Country

Please help!
Thanks in advance

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-24-2020 04:53 AM

you can apply any stats functions like values/list/avg/median etc to only field names. based on your query ban must be field in your index.

————————————
If this helps, give a like below.
0 Karma
Reply

rameshnaik
New Member
‎11-24-2020 03:50 AM

I want list out all values of variable ban in the string "ban":12897

Using below command but nothing is listed.

index=k8_bm* "jeopardyType" "Prepaid-Service-Error" "ban" | stats values(ban)

 

0 Karma
Reply

mayurr98
Super Champion
‎03-27-2018 10:42 AM

Instead of list try values? i.e. values(clientip1) as client_IP

let me know if this helps!

Reply

JanniktheOne
Engager
‎07-20-2022 01:12 AM

values is what I was searching for. It only shows distinct lists.

0 Karma
Reply

rakeshyv0807
Explorer
‎03-27-2018 10:58 AM

I have tried the values(clientip1) as client_IP but since I am deleting duplicates by username using dedup so the different Ip's of same username are not being displayed.

0 Karma
Reply

mayurr98
Super Champion
‎03-27-2018 11:18 AM

well you are doing by subject which is already distinct so dedup subject will not make any sense.

can you try this?

mysearch 
| iplocation clientip1 
| streamstats count as occuranceCount by subject clientip1 applicationid Country City 
| table subject occuranceCount clientip1 connectionid City Country 
| sort - occuranceCount 
| dedup subject
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top