Re: Stats Distinct Count (X) + X[Values]

JRamirezEnosys · ‎04-20-2017

Hi Splunkers,

I have a query that gives me the following fields I want to work with.

username
Country (after using iplocation on src_ip)

Some usernames have login from more than 2 countries.

I want to see it on a chart that shows me the top 5 usernames based on how many countries they have log in and which countries are those.

I believe I need to use dc(Country) at some point

This is my search string

index=main event=sso status=success ip!=10.0.0.0/8  | regex subject=^\D\d+$ | iplocation ip | stats dc(Country) by subject

DalJeanis · ‎04-21-2017

Based on your description and code, I have to assume that the field "subject" is holding the username...

andrey2007 · ‎04-21-2017

Try this

index=main event=sso status=success ip!=10.0.0.0/8  | regex subject=^\D\d+$ | iplocation ip | stats dc(Country)  as Country_count values(Country) as Countries by subject | sort 5 - Country_count

somesoni2 · ‎04-21-2017

If your end goal is to see the chart, try this version and select a stacked column/bar chart.

index=main event=sso status=success ip!=10.0.0.0/8  | regex subject=^\D\d+$ | iplocation ip | stats dc(Country)  as Country_count values(Country) as Countries by subject | sort 5 - Country_count
| mvexpand Countries | chart count over subject by Countries

Stats Distinct Count (X) + X[Values]

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation