Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Way to exclude results from Values() based on # returned?

JR_Akaviri
Engager
‎11-09-2022 02:25 PM

I'm trying to do a search to find IPs trying to login in using multiple usernames (using Duo).  I have it working very close to how I want the only issue is I need to filter out IP-user entries where there is only one username attempted.  Is there a way to do a simple where clause against the number of strings returned from values()?  I tried where values(username) > 1 but guess that would have been to simple.

 

index=duo 
| stats values(username) as user, count(username) as attempts by src_ip
| where attempts >1
| sort -attempts

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2022 02:31 PM

You could use dc, i.e.

index=duo 
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts

You could also use values(username) and count that, i.e.

index=duo 
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts

if you want to retain the username

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-09-2022 02:31 PM

You could use dc, i.e.

index=duo 
| stats dc(usernmame) as unique_users count(username) as attempts by src_ip
| where attempts >1 AND unique_users = 1
| sort -attempts

You could also use values(username) and count that, i.e.

index=duo 
| stats values(usernmame) as users count(username) as attempts by src_ip
| where attempts >1 AND mvcount(users) = 1
| sort -attempts

if you want to retain the username

Reply
Solved! Jump to solution

JR_Akaviri
Engager
‎11-09-2022 02:37 PM

perfect, thanks! mvcount is what I needed.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...