Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk more than one mvcount or if statement in mvcount

Pmeiring
Explorer
‎10-28-2020 03:40 AM

Hi Community, 

I'm trying to optimize an existing query to only return values only if a condition is met. 

The existing query:
source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded"
| stats values(Calling_Station_ID) as Public_IP by UserName
| where mvcount(Public_IP) > 1

The output looks something like this: 

UsernamePublic IP
test6849@domain.com127.229.3.176
127.89.234.34
Example678127.122.158.253
127.122.181.170
example5645@domain.com127.96.171.82
127.13.146.208
Example123127.114.242.14
127.114.243.135
127.114.252.31
test123@domain.com127.157.205.179
127.157.211.18
Example586127.94.41.110
127.114.213.249

 

What I'm trying to achieve is only to have this return IF the Public IP address subnets differ. 

As an example values I want returned: 

test6849@domain.comxx.229.3.176
xy.89.234.34


AND not these values - Notice the first 2 subnets are the same (underlined)

UsernamePublic IP
Example678xyz.122.158.253
xyz.122.181.170
Example123127.114.242.14
127.114.243.135
127.114.252.31


I managed to identify the first 2 subnets with regex - but I'm unable to get my query to return values. 

source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded"
| stats values(Calling_Station_ID) as Public_IP by UserName
| stats values(Public_IP_octet) as Subnet_count by UserName
| where (mvcount(Public_IP) > 1 AND mvcount(Subnet_count) < 2)

Any help would be appreciated 

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-28-2020 04:02 AM 
source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded"
| rex field=Calling_Station_ID "(?<subnet>\d+\.\d+)"
| stats values(Calling_Station_ID) as Public_IP values(subnet) as Subnets by UserName
| where mvcount(Subnets) > 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-28-2020 04:02 AM 
source="/var/log/wireless.log" AnyConnect OR NetworkDeviceName=fw* "NOTICE Passed-Authentication: Authentication succeeded"
| rex field=Calling_Station_ID "(?<subnet>\d+\.\d+)"
| stats values(Calling_Station_ID) as Public_IP values(subnet) as Subnets by UserName
| where mvcount(Subnets) > 1
0 Karma
Reply
Solved! Jump to solution

Pmeiring
Explorer
‎10-28-2020 04:13 AM

Thanks @ITWhisperer  works perfectly 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...