Solved: Search data by result count

balcv · ‎12-17-2023

I have a search that returns a list of users and the country logins have occurred from grouped by user.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) by user

So if a user logins from one Country, then a get a single record for the user (user, Country).
If a user logins in from multiple locations, I get the user name in one column and a list of the source locations in the values(County) column.

I would like to construct the search so that only see those users who have logins from multiple Countries.
Thanks

dtburrows3 · ‎12-17-2023

I think this SPL will do what you are looking for.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) as Country by user
| where mvcount(Country)>1

View solution in original post

balcv · ‎12-17-2023

Perfect. Thank you @dtburrows3

dtburrows3 · ‎12-17-2023

I think this SPL will do what you are looking for.

index=o365 UserloginFailed* 
| iplocation ClientIP
| search Country!=Australia
| stats values(Country) as Country by user
| where mvcount(Country)>1

Search data by result count

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Search data by result count

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers