Splunk Search

Show only NON distinct values for a given field.

Path Finder

I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips.
So far I have:

index="iislogs" source="url.com" NOT csusername="-" | table csusername, cip | dedup c_ip

A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work.

I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either.

Highlighted

Re: Show only NON distinct values for a given field.

SplunkTrust
SplunkTrust

Try this

index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1

View solution in original post

Highlighted

Re: Show only NON distinct values for a given field.

Path Finder

This is exactly what I needed, with a better method that I was trying before. Thank you!