I'd like to pull a logon report that shows me any logon activity that is != to the United States. Any help is greatly appreciated.
Try this
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where * (Authentication.src="*") (Authentication.dest="*") by Authentication.src_ip,Authentication.src_user,Authentication.user
| `drop_dm_object_name("Authentication")`
| iplocation src_ip
| where Country!="United States"
You can change your search based on requirement and identify the field name (like src_ip / dest_ip) for which you want to identify geo_location and use | iplocation <field_name>
https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation
Try this
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,count from datamodel=Authentication.Authentication where * (Authentication.src="*") (Authentication.dest="*") by Authentication.src_ip,Authentication.src_user,Authentication.user
| `drop_dm_object_name("Authentication")`
| iplocation src_ip
| where Country!="United States"
You can change your search based on requirement and identify the field name (like src_ip / dest_ip) for which you want to identify geo_location and use | iplocation <field_name>
https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation
Thank you!