https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558498#M12369 <P>Speed is e.g. when user connected from London and next time from China - in this field you can see with what speed user was traveling. This can be very suspicious in case user in 5 minutes did so. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> distance is in miles but you can recalculate for your needs.</P> Wed, 07 Jul 2021 06:19:33 GMT Gene 2021-07-07T06:19:33Z https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558321#M12357 <P>I'm have a search that pulls in user login info with lat and lon. I'm trying to calculate the distance between two cordinates for the same user name. If there isn't a match on username, I want it to move to the next match and then output the distance between the two with the login time.&nbsp;</P> Mon, 05 Jul 2021 15:19:50 GMT https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558321#M12357 Bryon_bowman 2021-07-05T15:19:50Z https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558373#M12360 <P>Your search<BR />| eventstats dc(src) as src_count by user<BR />| search src_count&gt;1<BR />| sort 0 + _time<BR />| iplocation src<BR />| where isnotnull(lat) AND isnotnull(lon)<BR />| streamstats window=2 global=false earliest(lat) as prev_lat, earliest(lon) as prev_lon, earliest(_time) as prev_time, earliest(src) as prev_src, earliest(City) as prev_city, earliest(Country) as prev_country, earliest(app) as prev_app by user<BR />| where (src != prev_src)<BR />| eval lat1_r=((lat * 3.14159265358) / 180), lat2_r=((prev_lat * 3.14159265358) / 180), delta=(((prev_lon - lon) * 3.14159265358) / 180), distance=(3959 * acos(((sin(lat1_r) * sin(lat2_r)) + ((cos(lat1_r) * cos(lat2_r)) * cos(delta))))), distance=round(distance,2)<BR />| fields - lat1_r, lat2_r, long1_r, long2_r, delta<BR />| eval time_diff=if((('_time' - prev_time) == 0),1,('_time' - prev_time)), speed=round(((distance * 3600) / time_diff),2)<BR />| eval prev_time=strftime(prev_time,"%Y-%m-%d %H:%M:%S")<BR />| table user, src, _time, City, Country, app, prev_src, prev_time, prev_city, prev_country, prev_app, distance, speed<BR /><BR />Hope that will help.<BR /><BR />Thanks, Gene</P> Tue, 06 Jul 2021 09:21:31 GMT https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558373#M12360 Gene 2021-07-06T09:21:31Z https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558439#M12364 <P>This looks great. Just two questions...what is speed and is the distance in Kilometers or Miles and speed MPH or KPH?&nbsp;</P> Tue, 06 Jul 2021 15:24:02 GMT https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558439#M12364 Bryon_bowman 2021-07-06T15:24:02Z https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558498#M12369 <P>Speed is e.g. when user connected from London and next time from China - in this field you can see with what speed user was traveling. This can be very suspicious in case user in 5 minutes did so. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> distance is in miles but you can recalculate for your needs.</P> Wed, 07 Jul 2021 06:19:33 GMT https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558498#M12369 Gene 2021-07-07T06:19:33Z https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558601#M12376 <P>Thank you!! I should have clarified. is the speed in MPH? Also is there a way to add time between the two logins as a column?&nbsp;</P> Wed, 07 Jul 2021 17:15:34 GMT https://community.splunk.com/t5/Security/Distance-between-two-or-more-Geolocations-Lat-Lon/m-p/558601#M12376 Bryon_bowman 2021-07-07T17:15:34Z