Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to rename distinct_count() in a stats command

russelljesse
Explorer
‎06-11-2018 01:17 PM

I am running the following search:

source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) count by user | search "distinct_count(ipaddr)" > 3

to find users not of username"-" or "auto" with a request type of get*, and looking for users in the log with more than 3 different IP addresses. I get the information I want, but I am finding it impossible to rename the disctinct_count result from my stats command.

Any ideas?

0 Karma
Reply

russelljesse
Explorer
‎06-12-2018 05:44 AM

I had tried many iterations of using AS, trying to pipe to tables, renames, but your code did work. I think because I was using search instead of where, it was not finding the field. Regardless, your code worked. Thanks!

0 Karma
Reply

Ayn
Legend
‎06-11-2018 02:54 PM

Not sure what you tried and didn't get working, but renaming the distinct_count should be as easy as using the "as" argument:

source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) as distinct_ips, count by user | where distinct_ips > 3

I also removed the quotation marks from your ending search, as using those would cause Splunk to interpret the text in the quotation marks as a string and try to compare that string to a number. It doesn't give any syntax errors (I think) but simply doesn't make sense.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...