Hi, you can use below query to get a list of the users who are outside of the country which does not contain throttled user.
*index="authenticatior" action=success
| search "location.country"!="" AND "location.country"!="US"
| table _time device,username,user_first,user_last,user_managedBy,factor,integration,result,location.city,location.country
| lookup mylookup.csv
| where isnull(last_date)
| fields - last_date
| eval _time=strftime(_time, "%m/%d/%y %I:%M:%S:%p")
| rename _time as Timestamp location.city as City, location.country as Country user_managedBy as Manager username as "User ID" user_first as First, user_last as Last, factor as Factor integration as Integration result as Result device as Device
| sort Last *
And use below query to add a user in the lookup.
| inputlookup mylookup.csv
| append
[| makeresults 1
| eval username="Name of User",numberofdays=numberofdays , last_date=_time+86400*(numberofdays)
| fields user,last_date]
| outputlookup mylookup.csv
You have to schedule below query to remove throttled user from lookup when the time will expire so that schedule below query which runs at 12:00 AM(for example) every day.
| inputlookup mylookup.csv
| where last_date > _time
| outputlookup mylookup.csv
... View more