Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare GeoLocation values of login events for each user to previous logins?

olawalePS
Explorer
‎11-08-2022 05:41 AM

I am trying to create an alert that triggers when the location field of a login event from a user changes. so if a user logged in from London earlier and then the next login comes from Dublin, I want an alert to trigger. The login event has a username and client.geoLocation.city field.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-09-2022 01:03 AM

Assuming your search window is applicable for this kind of alert, you only need to count number of different client.geoLocation.city.  Is this correct?  Something like

| stats values(eval('client.geoLocation.city')) as geoLocations by username
| where mvcount(geoLocations) > 1

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-09-2022 01:03 AM

Assuming your search window is applicable for this kind of alert, you only need to count number of different client.geoLocation.city.  Is this correct?  Something like

| stats values(eval('client.geoLocation.city')) as geoLocations by username
| where mvcount(geoLocations) > 1
Reply
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...