Hi All,
Having issues with trying to get a search to work. Below is the sample data after I write the following query
index=index sourcetype=sourcetype | stats values(src_ip) by user
Data:
>user src_ip
>_________________
>testuser 1.1.1.1
> 1.1.1.2
>_________________
>testuser1 2.2.2.2
>_________________
>testuser2 3.3.3.3
What I am trying to get out a search is, if a person has two recorded IP addresses against their name, return the result to me. So in the above data sample I am only interested in testuser, not the rest. Just imagine that 1.1.1.1 and 1.1.1.2 are aligned in the same field ;).
Look forward to your responses and thanks in advance 🙂
Hi,
You can try using dc command. Try following query:
index=index sourcetype=sourcetype | stats dc(src_ip) as UniqueIPCount by user | where UniqueIPCount > 1
Thanks!!!
Hi,
You can try using dc command. Try following query:
index=index sourcetype=sourcetype | stats dc(src_ip) as UniqueIPCount by user | where UniqueIPCount > 1
Thanks!!!
Omg so simple. Thank you 🙂