Good afternoon all
I'm just looking for a search that will search for anyone that has logged in to a web site, from a different Country (other than the U.S.), in the last 24 hours. Thank you.
Does this give you results?
index="iis_log" cs_username !=OTHER | dedup c_ip | iplocation prefix=cip_ c_ip
If so, try this
index="iis_log" cs_username !=OTHER | dedup c_ip | iplocation prefix=cip_ c_ip | search cip_Country !="United States"
Does this give you results?
index="iis_log" cs_username !=OTHER | dedup c_ip | iplocation prefix=cip_ c_ip
If so, try this
index="iis_log" cs_username !=OTHER | dedup c_ip | iplocation prefix=cip_ c_ip | search cip_Country !="United States"
Please promote your comment to an answer, so the poster can accept it.
BINGO! Good call with that last query. That's exactly what I needed!
The help is top notch over here.
Cisco Security Suite, IIS Logging, Splunk App for Web Analytics, MS Windows AD Objects, Splunk App for Windows Infrastructure, Splunk Supporting Add-on for AD.
The community cannot efficiently help you unless you share information about the log / data sources you have available to you. Please share more information about the sourcetypes, log types. add-ons, etc. that are applicable to you.
The query below that I'm trying isn't giving me any results either when I know It should be....
index="iis_log" cs_username !=OTHER | dedup c_ip | iplocation prefix=cip_ c_ip | search cip_Country !=United States