Solved: Re: How to filter my search that finds VPN User Se...

pdumblet · ‎05-23-2016

I have this search which shows the user sessions count by Country for the date range specified. I am trying to filter only on those users that have sessions in multiple countries. Any suggestions?

index=firewall vpn "Session disconnected" | iplocation IP
| fields user, Country | stats count as EvtCounts by user, Country 
| sort -EvtCounts 
| eval EvtCatCnt = Country." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Country by user
| sort -Total_Events 
| eval User_Count = user." (".Total_Events.")" 
| table user, Country

Current results look like this:

user         Country
bob           United States (1)
jane          United States (2) 
tarzan        Mexico (14)
              United States (1)

Only want to return results like tarzan.

sundareshr · ‎05-23-2016

Try adding this to the end ... | where mvcount(Country)>1

View solution in original post

sundareshr · ‎05-23-2016

Try adding this to the end ... | where mvcount(Country)>1

pjohnson1 · ‎02-03-2020

How about the date they logged in from one country to the other?

How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud