Re: Return values of field that dc is ran on inste...

trc29 · ‎03-15-2018

Hello all,

I have the following search:

index="vpn_gateway" eventtype="vpn-authall" |
stats dc(vpnuid) by vpnclient |
search "dc(vpnuid)" > 1 |
fields vpnclient, dc(vpnuid) |
sort -dc(vpnuid)

This command searches our VPN index for any authentication events, counts them by source IP addresses, and if a particular IP has signed in on 2 or more accounts, the IP address and number of users is returned:

vpnclient | dc(vpnuid)

10.0.8.1 | 2
10.0.2.2 | 3

What I'd like to do is also include the ID of the users. The output should look as follows:

Is this possible? I'm at a loss.

adonio · ‎03-15-2018

try this:

index="vpn_gateway" eventtype="vpn-authall" 
| stats dc(vpnuid) values(userid) as unique_user_ids by vpnclient
| search "dc(vpnuid)" > 1
| fields vpnclient, dc(vpnuid) unique_user_ids
| sort -dc(vpnuid)

you dont really need the fields command there as stats brings back only the fields you are "statsing"

hope it helps

Return values of field that dc is ran on instead of just the count

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Return values of field that dc is ran on instead of just the count

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions