Splunk Search

How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

pdumblet
Explorer

I have this search which shows the user sessions count by Country for the date range specified. I am trying to filter only on those users that have sessions in multiple countries. Any suggestions?

index=firewall vpn "Session disconnected" | iplocation IP
| fields user, Country | stats count as EvtCounts by user, Country 
| sort -EvtCounts 
| eval EvtCatCnt = Country." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Country by user
| sort -Total_Events 
| eval User_Count = user." (".Total_Events.")" 
| table user, Country 

Current results look like this:

user         Country
bob           United States (1)
jane          United States (2) 
tarzan        Mexico (14)
              United States (1) 

Only want to return results like tarzan.

1 Solution

sundareshr
Legend

Try adding this to the end ... | where mvcount(Country)>1

View solution in original post

sundareshr
Legend

Try adding this to the end ... | where mvcount(Country)>1

pjohnson1
Path Finder

How about the date they logged in from one country to the other?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...