First of all, a comment that Geo-IP is sometimes notoriously inaccurate when you consider real-life things like cellular connections and roaming and so forth. You also need to make sure that you keep your GeoIP database up to date. (See http://www.georgestarcher.com/splunk-updating-the-geoip-database/) But, if we ignore these issues ...
The key here is how you define (and store) "usual". What you don't want to have to do is run searches over a large time interval to define a user's pattern of normalcy - so we should save some state in a lookup file. You might define usual as the single most-frequently used, or possibly the top over the past XX days. But, however you define normal the goal is to make a scheduled search that builds and maintains a lookup file defining normalcy.
One example of using a lookup for this purpose is here -> https://answers.splunk.com/answers/422889/how-to-search-for-newly-added-servers-by-comparing.html and another is in a .conf talk that @starcher and I did in .conf 2015. See:
http://conf.splunk.com/session/2015/recordings/2015-splunk-38.mp4
http://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf
... View more