Splunk Search
Highlighted

How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

Explorer

I have this search which shows the user sessions count by Country for the date range specified. I am trying to filter only on those users that have sessions in multiple countries. Any suggestions?

index=firewall vpn "Session disconnected" | iplocation IP
| fields user, Country | stats count as EvtCounts by user, Country 
| sort -EvtCounts 
| eval EvtCatCnt = Country." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as Country by user
| sort -Total_Events 
| eval User_Count = user." (".Total_Events.")" 
| table user, Country 

Current results look like this:

user         Country
bob           United States (1)
jane          United States (2) 
tarzan        Mexico (14)
              United States (1) 

Only want to return results like tarzan.

Highlighted

Re: How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

Legend

Try adding this to the end ... | where mvcount(Country)>1

View solution in original post

Highlighted

Re: How to filter my search that finds VPN User Session Count by Country to only show users with sessions in multiple countries?

Path Finder

How about the date they logged in from one country to the other?

0 Karma