I am looking to compare a list of non unique usernames with unique IP's, and specifically analyze the occurences where any users have logged in with multiple ips.
So far I have:
index="iis_logs" source="url.com" NOT cs_username="-" | table cs_username, c_ip | dedup c_ip
A given username can be all letters, all numbers, or a combination of both, so the "where cs_username > 1 doesn't seem to work.
I also do want to see the actual username, so a stats command that only shows how many ips a given user logged into doesnt work either.
Try this
index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1
Try this
index="iis_logs" source="url.com" NOT cs_username="-" | stats values(c_ip) as c_ip by cs_username | where mvcount(c_ip) > 1
This is exactly what I needed, with a better method that I was trying before. Thank you!