Hello, my question is linked to the below answer.
https://answers.splunk.com/answers/222406/search-to-group-by-country-city-having-count-sorte.html
I'm trying to produce a table that shows
1. City - IP Address - Last seen - Total attacks per IP Address
So far I have:
* | iplocation src | eval City=if(isnull(City) OR City="", "Unknown City", City) |stats values(src) as "IP Address", latest(_time) as "Last seen", count(src) as "Total Count" by City |convert timeformat="%d/%m/20%y %H:%M:%S" ctime("Last seen")
Problem is that this only shows one lastest(_time) per City, not the latest time each individual IP address was seen id there is more than one IP address per City.
Thanks very much in adavnce
... View more