Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to return false if all results for a user are the same

DevNull
Observer
‎05-22-2021 06:54 PM

Hi there

I am trying to construct a search query which checks the ASN a user logs in from within a time period.

I would like to exclude all results where the ASN value is the same for all logins for a user.

Is there a way to do a compare of results based on both user and ASN within one search?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-22-2021 09:37 PM

Hi @DevNull,

let me understand:

  • ASN is a field that could have many values and sometimes there could be the same value for a user,
  • you want to exclude users where there are more equal results on the same user,

is this correct?

In this case you can use stats and the option distinct_count, something like this:

your_search
| stats dc(ASN) AS dc_ASN values(ASN) AS ASN BY user
| where dc_ASN>threeshold

where threeshold is a number.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...