Splunk Search

Search data by result count

balcv
Contributor

I have a search that returns a list of users and the country logins have occurred from grouped by user.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) by user

So if a user logins from one Country, then a get a single record for the user (user, Country). 
If a user logins in from multiple locations, I get the user name in one column and a list of the source locations in the values(County) column.

I would like to construct the search so that only see those users who have logins from multiple Countries.
Thanks

Labels (1)
0 Karma
1 Solution

dtburrows3
Builder

I think this SPL will do what you are looking for.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) as Country by user
| where mvcount(Country)>1

View solution in original post

balcv
Contributor

Perfect.  Thank you @dtburrows3 

0 Karma

dtburrows3
Builder

I think this SPL will do what you are looking for.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) as Country by user
| where mvcount(Country)>1
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...

Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents

Tech Talk Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents   Correlating ...

Observability Simplified: Combining User Experience, Application Performance & ...

  Tech Talk Network to App: Observability Unlocked   Today’s digital environments span applications, ...