https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639978#M16039 <P><SPAN>index=company_logs "Client Type: Cisco AnyConnect VPN Agent"<BR />| stats count src Cisco_ASA_user<BR />| iplocation src<BR /></SPAN>| search NOT Country="United States"<BR />| stats sum(count) AS count dc(src) AS dc_src BY Country user<BR />| stats list(*) AS * BY user</P> Fri, 14 Apr 2023 18:13:11 GMT woodcock 2023-04-14T18:13:11Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639817#M16021 <P>Good Morning,<BR /><BR />I have a query that I'd like to refine. I'm new to Splunk.<BR /><BR />So the current query that I'm running is used to identify when people outside of the country connect to our VPN.<BR /><BR /></P> <P>index=company_logs "Client Type: Cisco AnyConnect VPN Agent" | iplocation src | stats dc(src) by Country<BR /><BR />So this works fine for giving us a tally as to how many total connections are initiated out of the country.<BR /><BR />I'd like to get more granular and have a breakdown by username. This is the field that contains the username:&nbsp;Cisco_ASA_user.<BR /><BR />How can I adjust the query to include that data?<BR /><BR />Thanks!<BR /><BR /></P> Thu, 13 Apr 2023 16:36:08 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639817#M16021 Network506 2023-04-13T16:36:08Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639822#M16022 <P>There's a few ways to break it down by users. You can try:</P><P>&nbsp;</P><LI-CODE lang="markup">index=company_logs "Client Type: Cisco AnyConnect VPN Agent" | iplocation src | stats dc(src) BY Country Cisco_ASA_user index=company_logs "Client Type: Cisco AnyConnect VPN Agent" | iplocation src | chart dc(src) BY Cisco_ASA_user Country index=company_logs "Client Type: Cisco AnyConnect VPN Agent" | iplocation src | stats dc(src) values(Cisco_ASA_user) AS Cisco_ASA_user BY Country </LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 13 Apr 2023 15:24:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639822#M16022 johnhuang 2023-04-13T15:24:18Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639844#M16025 <P>Thanks. The first query works great. May I ask another question? How would I modify it to exclude the USA in the results?</P> Thu, 13 Apr 2023 17:33:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639844#M16025 Network506 2023-04-13T17:33:06Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639847#M16026 <P>Add this after the ip location line:</P><LI-CODE lang="markup">| search NOT Country="United States"</LI-CODE><P><BR />If want to exclude a list of Countries:</P><P>&nbsp;</P><LI-CODE lang="markup">| search NOT Country IN ("United States", "United Kingdom", "France")</LI-CODE> Thu, 13 Apr 2023 17:40:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639847#M16026 johnhuang 2023-04-13T17:40:36Z https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639978#M16039 <P><SPAN>index=company_logs "Client Type: Cisco AnyConnect VPN Agent"<BR />| stats count src Cisco_ASA_user<BR />| iplocation src<BR /></SPAN>| search NOT Country="United States"<BR />| stats sum(count) AS count dc(src) AS dc_src BY Country user<BR />| stats list(*) AS * BY user</P> Fri, 14 Apr 2023 18:13:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-can-I-adjust-the-query-to-include-total-connections-that-are/m-p/639978#M16039 woodcock 2023-04-14T18:13:11Z