<--- NOOB
Ok...so here is my quandry... I have a query (see below) that returns a list of users, ips and client info from the geoip app. I want to take these results and only look at user with more than one ip associated with them. I used dedup to get rid of duplicates so this is a pretty boiled down set of results. However, there are still thousands of them. How do I get rid of "non-unique" users keeping only the users that appear more than once.
query:
index=<some_index> c_ip=* User_Agent!="*<string>*" cs_username!="-" rs_Content_Type = "text/html*" | `exclude_internal_ip` | dedup username ip | lookup geoip clientip as ip | fillnull value=NULL | table username,ip,client_country,client_region,date,time,client_city,client_lat,client_lon | sort by str(username),num(ip),date,time.str(client_region)
output is:
user1 xxx.xx.xx.xx US etc...
user2 xxx.xx.xx.yy US etc...
user2 xxx.xx.xx.xy US etc...
user3 xxx.xx.xx.xz US etc...
user4 xxx.xx.xx.zz US etc...
user4 xxx.xx.xx.zx US etc...
I want to pair down the list to:
user2 xxx.xx.xx.yy US etc...
user2 xxx.xx.xx.xy US etc...
user4 xxx.xx.xx.zz US etc...
user4 xxx.xx.xx.zx US etc...
... View more