Splunk Search

How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

pdumblet
Explorer

I have this search which shows the user sessions count by Country for the date range specified. I am trying to filter only on those users that have sessions in multiple countries. Any suggestions?

index=firewall vpn "Session disconnected" | iplocation IP
| fields user, Country | stats count as EvtCounts by user, Country 
| sort -EvtCounts 
| eval EvtCatCnt = Country." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Country by user
| sort -Total_Events 
| eval User_Count = user." (".Total_Events.")" 
| table user, Country 

Current results look like this:

user         Country
bob           United States (1)
jane          United States (2) 
tarzan        Mexico (14)
              United States (1) 

Only want to return results like tarzan.

1 Solution

sundareshr
Legend

Try adding this to the end ... | where mvcount(Country)>1

View solution in original post

sundareshr
Legend

Try adding this to the end ... | where mvcount(Country)>1

pjohnson1
Path Finder

How about the date they logged in from one country to the other?

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...