Splunk Search

Using the transaction command with a search

chall61
Engager

I want to know if an account is being accessed by two or more countries within a certain timeframe (for example within twelve hours an account was being accessed by country1 and country2). However, I want to be able to run this search over a 6 month time period. (In the last six months here are the users who were, at some point, accessed by two different countries within twelve hours).
NOTE: I am using the geolocation app powered by maxmind.

Currently I am using stats to count the number of countries a user is accessed from and then displaying results where the country count is greater than one. However, I don't care if a user is accessed from two countries over a 6 month time period. And I don't want to have to run the search over a 12 hour time period over and over again until I've gone back 6 months.

I am assuming that I will use the transaction command and use maxspan to set the timerange that I want. However, I'm not sure how to fit that in with the rest of my search.

Any suggestions?

Thanks

ankireddy007
Path Finder

You can use like

sourcetype=access_* | transaction user country maxspan=<time> |search eventcount>=2
0 Karma

MuS
SplunkTrust
SplunkTrust

please provide some log examples and the current search, without this it would be like asking the magic glass ball

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...