Splunk Search

Search for users logons from different geo locations

ecanmaster
Explorer

I have build a query so far to look at users who log on from 2 different geo locations,
however

index=microsoft  
| iplocation src_ip 
| stats count dc(Country) as "Geo Location" by user 
| search "Geo Location" > 1

However I cant seem to add more info like src dest action etc.
we cant use value's , so that option not available
is there another way to get all the info?
I do realize that I will get more than 1 ip address , but that is the use case

Tags (1)
0 Karma
1 Solution

starcher
Influencer
 base search
| iplocation prefix=srcgeo_ src 
| eventstats dc(srcgeo_Country) as countryCount by user 
| where countryCount>1

View solution in original post

0 Karma

starcher
Influencer
 base search
| iplocation prefix=srcgeo_ src 
| eventstats dc(srcgeo_Country) as countryCount by user 
| where countryCount>1
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...