Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the multiple IP sources per user?

nazanin2016
Path Finder
‎12-28-2016 03:16 PM

Hi I am trying to filter my search by user name and Ip.I used the simple command
(mysearch)|table src_user,src_ip , it gives me some values of ip per user
but when I do the search as :
(mysearch)|stats count by src_user,src_ip it gives me all the values of ip per user.
My question is that why they both don't give me the same result for ip source? why table command miss some of the ips?
Thanks

Tags (1)
0 Karma
Reply

gokadroid
Motivator
‎12-28-2016 11:11 PM

To answer this part of the question My question is that why they both don't give me the same result for ip source? why table command miss some of the ips?; can you please check if the data is not on the "other pages" (see the numbers 1,2,3 >> at the bottom) and what you are viewing is the first page of the paginated table data. Try sorting for a user or ip to see if you find the data.

There should not be any reason why table command should miss any of the user and ips combination which stats command is aggregating. One way to check if both commands are giving the same data is finding for a single user and ip combination like:

Query 1

your base search
| table src_user,src_ip
| where src_user="anyUserValue"  AND src_ip="IPwhichExistsForUser"

Query 2

your base search
| stats count by src_user,src_ip
| where src_user="anyUserValue"  AND src_ip="IPwhichExistsForUser"

The count in second query should equal to the number of lines which appear in table given by first query.

Reply

niketn
Legend
‎12-28-2016 10:52 PM

Table will list all src_user and src_ip values. Only difference is that stats command counts such occurrences and aggregates the result.

You can validate whether the number of results for the following two commands are same or not. 

<Your Base Search> | dedup src_user, src_ip | sort src_user, src_ip | table src_user, src_ip 

<Your Base Search> | stats count by src_user,src_ip | sort src_user, src_ip
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...