![]() ![]() Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything. When using wildcards to query multiple fields, errors might occur if the fields are of different types. In the end you get a list of the top IP addresses that had accessed LOTS of accounts, weighted heavily towards those where the accessed accounts were themselves accessed by a LOT of IP's. How can I retrieve count or distinct count of some field values using stats function phaniraj. It's kind of a ridiculous field name, but for clarity I've called it "totalDistinctIPsAccessedByAccountsTheyAccessed" | stats count by ACCOUNT IP | eventstats dc(IP) as distinctIPs by ACCOUNT | stats count sum(distinctIPs) as totalDistinctIPsAccessedByAccountsTheyAccessed by IP | sort - totalDistinctIPsAccessedByAccountsTheyAccessed ![]() The following search correctly counts the number of unique usernames over the timespan of the search. I've been asked to find the unique number of users that log in month over month for the last year or so. Then we treat this as a rough weighting, and we just add up the values for each IP. We're trying to understand what our growth rate is in Nexus usage. The distinctIPs value is the number of IP values that that row's ACCOUNT field was accessed by. We then pipe these rows through eventStats so that each row will get a 'distinctIPs' field. In my table of results there might be different IP's for the same username which are listed down in the single IP cell. General template: search criteria extract fields if necessary stats or timechart. 03-27-2018 10:32 AM Hi I have a query which runs and results me the list of Ip's in a table format grouped by username. Group-by in Splunk is done with the stats command. Breaking down the following search in english, we take the unique combinations of ACCOUNT and IP (using stats). Group by count distinct, time buckets Group by sum Group by multiple fields For info on how to use rex to extract fields: Splunk regular Expressions: Rex Command Examples. Those are much simpler than what you're asking for obviously. For each IP, the number of ACCOUNT it accesses. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |