Splunk Search

Show only NON distinct values for a given field.

Path Finder

I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips.
So far I have:

index="iis_logs" source="url.com" NOT cs_username="-" | table cs_username, c_ip | dedup c_ip

A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work.

I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either.

1 Solution

SplunkTrust
SplunkTrust

Try this

index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1

View solution in original post

SplunkTrust
SplunkTrust

Try this

index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1

View solution in original post

Path Finder

This is exactly what I needed, with a better method that I was trying before. Thank you!