Hi,
I have a query showing the amount of distinct logins by IP address based on the "term" i've created in the query.
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| chart dc(User) as usercount by IP_address,term
| iplocation IP_address
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| stats sum("Very Short") AS "Very Short", sum(Short) AS Short, sum(Long) AS Long by Country, City
After doing some cross-checking, I realized these results are counting multiple values for users if that makes sense. So if "xxx99" had three "Very Short" logins and "xxx90" had 2 "Very Short" logins, its counting it as 5 "Very Short", when in fact I need it to count as 2 (the amount of users that were categorized as Very Short at least once).
I've tried getting around this myself with this:
| stats earliest(_time) as first_login latest(_time) as last_login by IP_address User
| eval term=last_login-first_login
| eval term=case(term<86400, "Very Short", term>86400 AND term<(86400*7), "Short", term>(86400*7), "Long")
| iplocation IP_address
| stats dc(User) AS usercount by Country City term
| where (isnotnull(Country) AND isnotnull(City) AND NOT Country="United States" AND trim(Country)!="" AND trim(City)!="")
| search Country=Azerbaijan
| chart sum(usercount) over Country by term
but with those results, I can't seem to get it to display the Country AND City, not just the City.
Any thoughts?
Thanks!
... View more