Solved: Show only NON distinct values for a given field.

soundchaos · ‎06-11-2014

I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips.
So far I have:

index="iis_logs" source="url.com" NOT cs_username="-" | table cs_username, c_ip | dedup c_ip

A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work.

I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either.

somesoni2 · ‎06-11-2014

Try this

index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1

View solution in original post

somesoni2 · ‎06-11-2014

Try this

index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1

soundchaos · ‎06-11-2014

This is exactly what I needed, with a better method that I was trying before. Thank you!

Show only NON distinct values for a given field.

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...