I am looking to parse apache logs to locate all users who are logged in from two or more IP addresses within a 10 minute time span.
The search I am performing appears not to be taking the timeframe into consideration or is including records with the same user and same IP within a 10 minute timeframe.
user=* clientip=* | iplocation clientip | bucket _time span=10m | stats dc(clientip) as dc_clientip values(clientip) as clientip values(City) as City values(Region) as Region values(Country) as Country by user | where dc_clientip > 1
Any assistance would be greatly appreciated.
Thanks.
Hi joec90,
you almost got it, stats
needs to know that you used timed buckets so you need to add _time
to the stats command like this:
user=* clientip=* | iplocation clientip | bucket _time span=10m | stats dc(clientip) as dc_clientip values(clientip) as clientip values(City) as City values(Region) as Region values(Country) as Country by user, _time | where dc_clientip > 1
hope this helps ...
cheers, MuS