I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips.
So far I have:
index="iis_logs" source="url.com" NOT cs_username="-" | table cs_username, c_ip | dedup c_ip
A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work.
I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either.