If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)

Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

XML query Problem

corigi · 2015-01-09 14:27:26

I having the below string built xml through splunk: <searchterms>table AccountId, ClientIPAddress | stats dc(ClientIPAddress) as CountIP values(ClientIPAddress) as ClientIP by AccountId | where CountIP > 2 Currently it searches the number of accounts that have accessed more than 2 IPs and the output is. AccountID A…

Options

09-01-2015 3:27pm

#1
corigi

Registered Users Posts: 134 ✭✭

Join Date: February 2008

Posts: 115
I having the below string built xml through splunk:

<searchterms>table AccountId, ClientIPAddress | stats dc(ClientIPAddress) as CountIP values(ClientIPAddress) as ClientIP by AccountId | where CountIP > 2

Currently it searches the number of accounts that have accessed more than 2 IPs and the output is.
AccountID A following by the 3 or more different/unique IPs

I looking to change it so it looks for any IP that has more than 2 different/unique Accounts associated to it and ignores dupe Account for counting. Any help be much appreciated.

When it is counting if should work something simple like this for same IP:

Stats
AccountID
A (1 Value)
A (No Value as dupe)
B (1 Value)
B (No Value as dupe)
C (1 Value) (trigger here)

Triggers when the value of Distinct Account >2 on Same IP.

Output Result
ClientIP
X
AccountID >2
A
B
C (Or just show the 3rd Account that triggers)

Tagged:

query

xml

splunk

0