Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SPL Query to filter the ip used less than 20+users

SabariRajanT
Path Finder
‎06-29-2021 01:04 AM

Hi Team,

I have a dashboard where existing results showing Event date, Event title, email id, Logon IP, Logon Location, AD Location.

The condition here is I need to remove the Logon IP used by more than 20+users from my current dashboard and display only Logon IP used by less than 20+ users

 

EG:     index=ert  "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users"

Using above query if the logon ip 192.34.23.122 used by more than 20+ users then my dashboard doesn't show up.

EG:     index=ert  "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users"

Using above query if the logon ip 192.34.23.122 used by less than 20+ users then my dashboard should show up.

Please suggest suitable SPL query for this.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-29-2021 01:49 AM 
index=ert  "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" | where 'Distinct users' < 20
0 Karma
Reply

SabariRajanT
Path Finder
‎06-29-2021 07:13 AM 
index=ert  "192.34.23.122" earliest=-30d | stats dc(user) as "Distinct users" | where 'Distinct users' < 20

 

In some condition ip address is not specifically determined, like below

index=ert "IPaddress" like this - how do we return the results now?

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-29-2021 07:18 AM 
index=ert  earliest=-30d | stats dc(user) as "Distinct users" by IPAddress | where 'Distinct users' < 20
0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...