Thank you for this, I have tried this before and it did not work, the Ip_Count output was empty while all other field populate with data. I don't know if the placement of you code as any bearing on the outcome.
However, I have similar code which works:
...|stats values(ip) as Affected_IPs count as Total values(Affected_IPs)
But now the output of the count is doubled in the Ip_Count field. For instance, if Splunk finds one ip, the IP_Count field and rows counts output is two.
My next question is if you or any, know how to produce a true count doesn't double my actual ips count in the Affected_IP field?
... View more