Solved: Search data by result count

balcv · ‎12-17-2023

I have a search that returns a list of users and the country logins have occurred from grouped by user.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) by user

So if a user logins from one Country, then a get a single record for the user (user, Country).
If a user logins in from multiple locations, I get the user name in one column and a list of the source locations in the values(County) column.

I would like to construct the search so that only see those users who have logins from multiple Countries.
Thanks

dtburrows3 · ‎12-17-2023

I think this SPL will do what you are looking for.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) as Country by user
| where mvcount(Country)>1

View solution in original post

balcv · ‎12-17-2023

Perfect. Thank you @dtburrows3

dtburrows3 · ‎12-17-2023

I think this SPL will do what you are looking for.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) as Country by user
| where mvcount(Country)>1

Search data by result count

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation