Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.

XML query Problem

  • 09-01-2015 03:27PM
    #1
    corigi
    Registered Users, Registered Users 2 Posts: 134 ✭✭


    I having the below string built xml through splunk:

    <searchterms>table AccountId, ClientIPAddress | stats dc(ClientIPAddress) as CountIP values(ClientIPAddress) as ClientIP by AccountId | where CountIP > 2

    Currently it searches the number of accounts that have accessed more than 2 IPs and the output is.
    AccountID A following by the 3 or more different/unique IPs

    I looking to change it so it looks for any IP that has more than 2 different/unique Accounts associated to it and ignores dupe Account for counting. Any help be much appreciated.

    When it is counting if should work something simple like this for same IP:

    Stats
    AccountID
    A (1 Value)
    A (No Value as dupe)
    B (1 Value)
    B (No Value as dupe)
    C (1 Value) (trigger here)

    Triggers when the value of Distinct Account >2 on Same IP.

    Output Result
    ClientIP
    X
    AccountID >2
    A
    B
    C (Or just show the 3rd Account that triggers)
    Tagged:


Advertisement