Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.
Hi all, please see this major site announcement: https://www.boards.ie/discussion/2058427594/boards-ie-2026

XML query Problem

  • 09-01-2015 02:27PM
    #1
    corigi
    Registered Users, Registered Users 2 Posts: 134 ✭✭


    I having the below string built xml through splunk:

    <searchterms>table AccountId, ClientIPAddress | stats dc(ClientIPAddress) as CountIP values(ClientIPAddress) as ClientIP by AccountId | where CountIP > 2

    Currently it searches the number of accounts that have accessed more than 2 IPs and the output is.
    AccountID A following by the 3 or more different/unique IPs

    I looking to change it so it looks for any IP that has more than 2 different/unique Accounts associated to it and ignores dupe Account for counting. Any help be much appreciated.

    When it is counting if should work something simple like this for same IP:

    Stats
    AccountID
    A (1 Value)
    A (No Value as dupe)
    B (1 Value)
    B (No Value as dupe)
    C (1 Value) (trigger here)

    Triggers when the value of Distinct Account >2 on Same IP.

    Output Result
    ClientIP
    X
    AccountID >2
    A
    B
    C (Or just show the 3rd Account that triggers)
    Tagged:


Advertisement