Hi Splunkers!
My data looks like this - it may be familiar from a recent high-profile data leak 🙂
phone number, username, location
21209864XX, user001, london
My hypothesis is to test wether a phonenumber has created more than one account, which in theory should be impossible.
I want to see a table of phonenumbers and the usernames linked to them, sorted by the phonenumbers that are linked to the most usernames (hopefully that makes sense!)
I have run a search to group all usernames that share the same phonenumber.
index="sandbox" | stats list(phonenumber) by username
I want to sort the resulting table by the lists which contain the most usernames. The search below returns the number of events a unique phonenumber can be found, hence the amount of usernames it is connected too.
index="sandbox" | stats count(phonenumber) by phonenumber | sort -count(phonenumber)
What I'm struggling to do is link to two together, to sort the listed table. Can anyone help?
Thanks!
Try following:
index="sandbox" | stats list(username) as usernames by phonenumber | eval count=mvcount(usernames) | sort -count
Try following:
index="sandbox" | stats list(username) as usernames by phonenumber | eval count=mvcount(usernames) | sort -count