Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Way to exclude results from Values() based on # returned?

JR_Akaviri
Engager
‎11-09-2022 02:25 PM

I'm trying to do a search to find IPs trying to login in using multiple usernames (using Duo).  I have it working very close to how I want the only issue is I need to filter out IP-user entries where there is only one username attempted.  Is there a way to do a simple where clause against the number of strings returned from values()?  I tried where values(username) > 1 but guess that would have been to simple.

 

index=duo 
| stats values(username) as user, count(username) as attempts by src_ip
| where attempts >1
| sort -attempts

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2022 02:31 PM

You could use dc, i.e.

index=duo 
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts

You could also use values(username) and count that, i.e.

index=duo 
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts

if you want to retain the username

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2022 02:31 PM

You could use dc, i.e.

index=duo 
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts

You could also use values(username) and count that, i.e.

index=duo 
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts

if you want to retain the username

Reply
Solved! Jump to solution

JR_Akaviri
Engager
‎11-09-2022 02:37 PM

perfect, thanks! mvcount is what I needed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...