I am running the following search:
source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) count by user | search "distinct_count(ipaddr)" > 3
to find users not of username"-" or "auto" with a request type of get*, and looking for users in the log with more than 3 different IP addresses. I get the information I want, but I am finding it impossible to rename the disctinct_count result from my stats command.
Any ideas?
I had tried many iterations of using AS, trying to pipe to tables, renames, but your code did work. I think because I was using search instead of where, it was not finding the field. Regardless, your code worked. Thanks!
Not sure what you tried and didn't get working, but renaming the distinct_count should be as easy as using the "as" argument:
source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) as distinct_ips, count by user | where distinct_ips > 3
I also removed the quotation marks from your ending search, as using those would cause Splunk to interpret the text in the quotation marks as a string and try to compare that string to a number. It doesn't give any syntax errors (I think) but simply doesn't make sense.