Splunk Search

How to find the multiple IP sources per user?

nazanin2016
Path Finder

Hi I am trying to filter my search by user name and Ip.I used the simple command
(mysearch)|table src_user,src_ip , it gives me some values of ip per user
but when I do the search as :
(mysearch)|stats count by src_user,src_ip it gives me all the values of ip per user.
My question is that why they both don't give me the same result for ip source? why table command miss some of the ips?
Thanks

Tags (1)
0 Karma

gokadroid
Motivator

To answer this part of the question My question is that why they both don't give me the same result for ip source? why table command miss some of the ips?; can you please check if the data is not on the "other pages" (see the numbers 1,2,3 >> at the bottom) and what you are viewing is the first page of the paginated table data. Try sorting for a user or ip to see if you find the data.

There should not be any reason why table command should miss any of the user and ips combination which stats command is aggregating. One way to check if both commands are giving the same data is finding for a single user and ip combination like:

Query 1

your base search
| table src_user,src_ip
| where src_user="anyUserValue"  AND src_ip="IPwhichExistsForUser"

Query 2

your base search
| stats count by src_user,src_ip
| where src_user="anyUserValue"  AND src_ip="IPwhichExistsForUser"

The count in second query should equal to the number of lines which appear in table given by first query.

niketn
Legend

Table will list all src_user and src_ip values. Only difference is that stats command counts such occurrences and aggregates the result.

You can validate whether the number of results for the following two commands are same or not.

<Your Base Search> | dedup src_user, src_ip | sort src_user, src_ip | table src_user, src_ip 

<Your Base Search> | stats count by src_user,src_ip | sort src_user, src_ip
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...