Splunk Search

How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

pdumblet
Explorer

I have this search which shows the user sessions count by Country for the date range specified. I am trying to filter only on those users that have sessions in multiple countries. Any suggestions?

index=firewall vpn "Session disconnected" | iplocation IP
| fields user, Country | stats count as EvtCounts by user, Country 
| sort -EvtCounts 
| eval EvtCatCnt = Country." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Country by user
| sort -Total_Events 
| eval User_Count = user." (".Total_Events.")" 
| table user, Country 

Current results look like this:

user         Country
bob           United States (1)
jane          United States (2) 
tarzan        Mexico (14)
              United States (1) 

Only want to return results like tarzan.

1 Solution

sundareshr
Legend

Try adding this to the end ... | where mvcount(Country)>1

View solution in original post

sundareshr
Legend

Try adding this to the end ... | where mvcount(Country)>1

pjohnson1
Path Finder

How about the date they logged in from one country to the other?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...