This is going to come down to you how you group your stats calls:
| stats count(src_ip) by dst_ip
will be different from
| stats count(dst_ip) by src_ip
will be different from
| stats count by dst_ip src_ip
will be different from
| stats count by src_ip dst_ip
What are you actually trying to accomplish?
from User warren – Stack Overflow https://stackoverflow.com/questions/71610969/how-to-group-out-different-ip-address-and-count-their-total-numbers-in-splunk/71618691#71618691
via IFTTT