<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Report all Logon Activity != United States in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535512#M89810</link>
    <description>&lt;P&gt;Try this&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where *   (Authentication.src="*") (Authentication.dest="*") by Authentication.src_ip,Authentication.src_user,Authentication.user  
|  `drop_dm_object_name("Authentication")`
| iplocation src_ip
| where Country!="United States"&lt;/LI-CODE&gt;&lt;P&gt;You can change your search based on requirement and identify the field name (like src_ip / dest_ip) for which you want to identify geo_location and use &lt;EM&gt;| iplocation &amp;lt;field_name&amp;gt;&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation&lt;/A&gt;&lt;/EM&gt;&lt;/P&gt;</description>
    <pubDate>Tue, 12 Jan 2021 16:54:00 GMT</pubDate>
    <dc:creator>General_Talos</dc:creator>
    <dc:date>2021-01-12T16:54:00Z</dc:date>
    <item>
      <title>Report all Logon Activity != United States</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535505#M89807</link>
      <description>&lt;P&gt;I'd like to pull a logon report that shows me any logon activity that is&amp;nbsp; != to the United States.&amp;nbsp; Any help is greatly appreciated.&lt;/P&gt;</description>
      <pubDate>Tue, 12 Jan 2021 16:36:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535505#M89807</guid>
      <dc:creator>itsmevic</dc:creator>
      <dc:date>2021-01-12T16:36:52Z</dc:date>
    </item>
    <item>
      <title>Re: Report all Logon Activity != United States</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535512#M89810</link>
      <description>&lt;P&gt;Try this&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where *   (Authentication.src="*") (Authentication.dest="*") by Authentication.src_ip,Authentication.src_user,Authentication.user  
|  `drop_dm_object_name("Authentication")`
| iplocation src_ip
| where Country!="United States"&lt;/LI-CODE&gt;&lt;P&gt;You can change your search based on requirement and identify the field name (like src_ip / dest_ip) for which you want to identify geo_location and use &lt;EM&gt;| iplocation &amp;lt;field_name&amp;gt;&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;&lt;EM&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation&lt;/A&gt;&lt;/EM&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 12 Jan 2021 16:54:00 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535512#M89810</guid>
      <dc:creator>General_Talos</dc:creator>
      <dc:date>2021-01-12T16:54:00Z</dc:date>
    </item>
    <item>
      <title>Re: Report all Logon Activity != United States</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535518#M89813</link>
      <description>&lt;P&gt;Thank you!&lt;/P&gt;</description>
      <pubDate>Tue, 12 Jan 2021 17:04:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Report-all-Logon-Activity-United-States/m-p/535518#M89813</guid>
      <dc:creator>itsmevic</dc:creator>
      <dc:date>2021-01-12T17:04:58Z</dc:date>
    </item>
  </channel>
</rss>

