Re: How to rename distinct_count() in a stats comm...

russelljesse · ‎06-11-2018

I am running the following search:

source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) count by user | search "distinct_count(ipaddr)" > 3

to find users not of username"-" or "auto" with a request type of get*, and looking for users in the log with more than 3 different IP addresses. I get the information I want, but I am finding it impossible to rename the disctinct_count result from my stats command.

Any ideas?

russelljesse · ‎06-12-2018

I had tried many iterations of using AS, trying to pipe to tables, renames, but your code did work. I think because I was using search instead of where, it was not finding the field. Regardless, your code worked. Thanks!

Ayn · ‎06-11-2018

Not sure what you tried and didn't get working, but renaming the distinct_count should be as easy as using the "as" argument:

source="whatever.log" user != \- user != \auto request=*GET* | stats distinct_count(ipaddr) as distinct_ips, count by user | where distinct_ips > 3

I also removed the quotation marks from your ending search, as using those would cause Splunk to interpret the text in the quotation marks as a string and try to compare that string to a number. It doesn't give any syntax errors (I think) but simply doesn't make sense.

How to rename distinct_count() in a stats command

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases