Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.

https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

XML query Problem

corigi · 2015-01-09 14:27:26

I having the below string built xml through splunk: table AccountId, ClientIPAddress | stats dc(ClientIPAddress) as CountIP values(ClientIPAddress) as ClientIP by AccountId | where CountIP > 2 Currently it searches the number of accounts that have accessed more than 2 IPs and the output is. AccountID A…

09-01-2015 03:27PM

#1
corigi

Registered Users, Registered Users 2 Posts: 134 ✭✭

Join Date: February 2008

Posts: 115
I having the below string built xml through splunk:

<searchterms>table AccountId, ClientIPAddress | stats dc(ClientIPAddress) as CountIP values(ClientIPAddress) as ClientIP by AccountId | where CountIP > 2

Currently it searches the number of accounts that have accessed more than 2 IPs and the output is.
AccountID A following by the 3 or more different/unique IPs

I looking to change it so it looks for any IP that has more than 2 different/unique Accounts associated to it and ignores dupe Account for counting. Any help be much appreciated.

When it is counting if should work something simple like this for same IP:

Stats
AccountID
A (1 Value)
A (No Value as dupe)
B (1 Value)
B (No Value as dupe)
C (1 Value) (trigger here)

Triggers when the value of Distinct Account >2 on Same IP.

Output Result
ClientIP
X
AccountID >2
A
B
C (Or just show the 3rd Account that triggers)

Tagged:

query

xml

splunk

0