This worked perfectly, thanks! I'd previously tried the subsearch approach, but since I'm actually searching through a few hundred million records, the subsearch would always time out; the eventstats approach was just the trick.
... View more
Like this:
(index=auth NOT clientip="10." OR (index="product12" "Completed login" host="DAL")
| rex "(?i) for user (?P<usernameFromProduct12>[^ ]+)"
| eval username=coalesce(username, usernameFromProduct12)
| stats dc(index) AS index_count values(clientip) AS clientip BY username
| where dc(index)>1
| dedup clientip | geoip clientip
... View more