Solved: Way to exclude results from Values() based on # re...

JR_Akaviri · ‎11-09-2022

I'm trying to do a search to find IPs trying to login in using multiple usernames (using Duo). I have it working very close to how I want the only issue is I need to filter out IP-user entries where there is only one username attempted. Is there a way to do a simple where clause against the number of strings returned from values()? I tried where values(username) > 1 but guess that would have been to simple.

index=duo
| stats values(username) as user, count(username) as attempts by src_ip
| where attempts >1
| sort -attempts

bowesmana · ‎11-09-2022

You could use dc, i.e.

index=duo 
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts

You could also use values(username) and count that, i.e.

index=duo 
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts

if you want to retain the username

View solution in original post

bowesmana · ‎11-09-2022

You could use dc, i.e.

index=duo 
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts

You could also use values(username) and count that, i.e.

index=duo 
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts

if you want to retain the username

JR_Akaviri · ‎11-09-2022

perfect, thanks! mvcount is what I needed.

Way to exclude results from Values() based on # returned?

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!