Solved: Where following a dc(field)

stakor · ‎11-30-2017

I am looking at a firewall. I am trying to find only results where there are more than 20 distinct ports per source.

stats dc(port) by soure_ipaddr

I would like to use something like a where command. I was thinking of using a | where dc(port) > 20, but I get an error when I try that. What should I do to convert the results of the dc(port) to a value that where can use?

somesoni2 · ‎11-30-2017

You would need to use eventstats command to calculate dc(port) per source_ipaddr (adding another field without reducing/filtering) and then apply your where clause. like this

your base search 
| eventstats dc(port) as ports by soure_ipaddr
| where ports>20
| ...rest of the search

View solution in original post

diegofavoretto · ‎01-03-2019

is it possible to apply on the filters the dc(account_id) for example ?

ddrillic · ‎11-30-2017

dc(port) as total .... | where total > 20

somesoni2 · ‎11-30-2017

You would need to use eventstats command to calculate dc(port) per source_ipaddr (adding another field without reducing/filtering) and then apply your where clause. like this

your base search 
| eventstats dc(port) as ports by soure_ipaddr
| where ports>20
| ...rest of the search

Where following a dc(field)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!