I think the OP is referring to what is known as the 'Impossible Login' problem: a user account is seen to login in geographically different locations and therefore heavily indicative of compromised credentials. I too am trying to figure out how to achieve this in Splunk.
... View more