Splunk Search

How to rename distinct_count() in a stats command

russelljesse
Explorer

I am running the following search:

source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) count by user | search "distinct_count(ipaddr)" > 3

to find users not of username"-" or "auto" with a request type of get*, and looking for users in the log with more than 3 different IP addresses. I get the information I want, but I am finding it impossible to rename the disctinct_count result from my stats command.

Any ideas?

0 Karma

russelljesse
Explorer

I had tried many iterations of using AS, trying to pipe to tables, renames, but your code did work. I think because I was using search instead of where, it was not finding the field. Regardless, your code worked. Thanks!

0 Karma

Ayn
Legend

Not sure what you tried and didn't get working, but renaming the distinct_count should be as easy as using the "as" argument:

source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) as distinct_ips, count by user | where distinct_ips > 3

I also removed the quotation marks from your ending search, as using those would cause Splunk to interpret the text in the quotation marks as a string and try to compare that string to a number. It doesn't give any syntax errors (I think) but simply doesn't make sense.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...