Hello,

I am having problems with Splunk queries were a single unique instance of a field is repeated over other field instances. For example, I imported a csv with extracted fields from a windows security event log for failed logon events. The problem is for example if the account of the failed login event is Administrator coming from multiple source IPs, "Administrator shows for each unique IP. Were instead I want to show only one entry of Administrator for each failed source IP. Similarly, I have firewall logs with a similar circumstance. For traffic originating from IP 192.168.1.10, over different ports, to a single destination IP. My current query returns the single destination IP for each different service port. Instead for single source, destination, I want to see the list of service ports for that combination. However the destination IP will have an entry for each different service port. I am using the following query:

index="fw_traffic" Rule="Internet" | stats list(Application) as App, list("Destination address") as dst_ip by "Source address" | sort dst_ip

host = win2008 EventID=4625 | stats count, values(IP) as IP by Account, Workstation | table Account, IP, Workstation | sort Account