Security

see users logging in from more than one country

New Member

I would like to only show users loging into multiple countrys. How would i manipulate this search to do that?

index="index" "Login succeeded for" | iplocation sip | stats count(sip) AS ipCount by ssl_vpn_user_name, sip, _time, Country, City | where ipCount >=1 | table _time, ssl_vpn_user_name, sip, Country, City | dedup sip

I get a similar table:

time ssl_vpn_user_name sip country city
time user1 ip Country City
time user2 ip Country City
time user3 ip Country City
time user3 DIFip DIFCountry DIFCITY

Tags (2)
0 Karma
1 Solution

Influencer

append this to your search

| eventstats dc(country) as COUNT by ssl_vpn_user_name | where COUNT > 1

View solution in original post

0 Karma

Influencer

append this to your search

| eventstats dc(country) as COUNT by ssl_vpn_user_name | where COUNT > 1

View solution in original post

0 Karma

New Member

Perfect! Thank you very much!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!