I'm trying to do a search to find IPs trying to login in using multiple usernames (using Duo). I have it working very close to how I want the only issue is I need to filter out IP-user entries where there is only one username attempted. Is there a way to do a simple where clause against the number of strings returned from values()? I tried where values(username) > 1 but guess that would have been to simple.
index=duo
| stats values(username) as user, count(username) as attempts by src_ip
| where attempts >1
| sort -attempts
You could use dc, i.e.
index=duo
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts
You could also use values(username) and count that, i.e.
index=duo
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts
if you want to retain the username
You could use dc, i.e.
index=duo
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts
You could also use values(username) and count that, i.e.
index=duo
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts
if you want to retain the username
perfect, thanks! mvcount is what I needed.