Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is it showing more data after dc count with the right order?

dieguiariel
Path Finder
‎03-15-2023 05:21 AM

Hi! im working on an alert for access from different countries for certain users in a short time period. The alert and the search works fine but i will like to show more info when the alert triggers (source ip and time).

 

Here a sample of the event:

09:09:55,377 INFO [XX.XXX.XXXXXXX.cbapi.dao.login.LoginDAOImpl] (default task-34878) Enviamos parámetros: [authTipoPassword=E, authDato=4249929, authTipoDato=D, nroDocEmpresa=80097256-2, tipoDocEmpresa=D, authCodCanal=999, authIP=45.170.128.191, esDealer=N, dispositivoID=40ee57e1-e5eb-4b14-b7ef-9f0f8ccdf6c

2, dispositivoOS=null ]

Here the search:

index="XXXX" host="XXX.XXX.-*" sourcetype=XXXXXXCBAPI*  authDato authIP dao.login.LoginDAOImpl authIP=* authCodCanal=999 | iplocation authIP | eval Country = if(isnull(Country) OR Country="", "Unknown", Country) | stats
dc(Country) AS count
values(Country) AS country values(authIP) as authIP
latest(_time) AS latest
BY authDato | where count > 1 | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | sort - latest

With this i get a result like this:

authdato | count | Country | authIP | latest

2363494 | 2 |   Argentina | 170.51.250.39 | 2023-03-15 09:09:09

                              Paraguay | 170.51.55.186

the thing is.. the ip address aren't aligned with the country for that ip, neither the time is aligned with the last Country or ip address.

Ive tried several things but still can't figure out how to correctly present the results (in the right order i mean)

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2023 05:43 AM

Use list() rather than values() - values() will put the values in (lexicographical) order and removes duplicates, whereas list() maintains the order and duplicates.

View solution in original post

Reply
Solved! Jump to solution

dieguiariel
Path Finder
‎03-15-2023 06:02 AM

Hi! thank yoy both for the answer, it worked with list! 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2023 05:43 AM

Use list() rather than values() - values() will put the values in (lexicographical) order and removes duplicates, whereas list() maintains the order and duplicates.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-15-2023 05:43 AM

The values function returns unique values of a field in alphabetical order.  You can't change that.

Try the list function, instead, which return all values in the order they were found.  Only 100 values are returned, however.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...