Solved: Using stats dc with stats list and count

jwalzerpitt · ‎01-16-2019

I have the following search looking for external hosts that are trying to brute force multiple WordPress or Drupal sites:

index=foo sourcetype="f5:bigip:asm:syslog" action!=blocked uri="/*login.php" OR uri="/*admin/" OR  uri="*user\/login" uri!="*revslider*" action!=blocked 
| stats count by src uri
| sort -count
| stats list(uri) as URI, list(count) as count, sum(count) as Total by src 
| sort -Total
| head 10

Output is as follows:

alt text

How can I utilize stats dc to return only those results that have >5 URIs?

Thx

vnravikumar · ‎01-16-2019

Hi @jwalzerpitt

Please try

| stats dc(uri) as distinct_uri, values(uri) as URI, values(count) as count, sum(count) as Total by src | where distinct_uri > 5

View solution in original post

vnravikumar · ‎01-16-2019

Hi @jwalzerpitt

Please try

| stats dc(uri) as distinct_uri, values(uri) as URI, values(count) as count, sum(count) as Total by src | where distinct_uri > 5

jwalzerpitt · ‎01-16-2019

Thx as that worked perfectly!

vnravikumar · ‎01-16-2019

welcome 🙂

Using stats dc with stats list and count

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies