Re: SPL Query to filter the ip used less than 20+u...

SabariRajanT · ‎06-29-2021

Hi Team,

I have a dashboard where existing results showing Event date, Event title, email id, Logon IP, Logon Location, AD Location.

The condition here is I need to remove the Logon IP used by more than 20+users from my current dashboard and display only Logon IP used by less than 20+ users

EG: index=ert "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users"

Using above query if the logon ip 192.34.23.122 used by more than 20+ users then my dashboard doesn't show up.

EG: index=ert "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users"

Using above query if the logon ip 192.34.23.122 used by less than 20+ users then my dashboard should show up.

Please suggest suitable SPL query for this.

ITWhisperer · ‎06-29-2021

index=ert  "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" | where 'Distinct users' < 20

SabariRajanT · ‎06-29-2021

index=ert  "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" | where 'Distinct users' < 20

In some condition ip address is not specifically determined, like below

index=ert "IPaddress" like this - how do we return the results now?

ITWhisperer · ‎06-29-2021

index=ert  earliest=-30d | stats dc(user) as "Distinct users" by IPAddress | where 'Distinct users' < 20

SPL Query to filter the ip used less than 20+users

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms