am new to Splunk and have a very basic search that give output as below for vpn users..
User Group ASA_Device int_ip ext_ip City Country time count
user1 rsa asa1 x.x.x.x x.x.x.x Ottawa Canada x:x:x 1
user2 cert asa2 x.x.x.x x.x.x.x Delhi India x:x:x 2
user1 rsa asa1 x.x.x.x x.x.x.x Mexico City Mexico x:x:x 1
I want to set up an alert if user1 or any user connect from different city and country than its usual location.
First of all, a comment that Geo-IP is sometimes notoriously inaccurate when you consider real-life things like cellular connections and roaming and so forth. You also need to make sure that you keep your GeoIP database up to date. (See http://www.georgestarcher.com/splunk-updating-the-geoip-database/) But, if we ignore these issues ...
The key here is how you define (and store) "usual". What you don't want to have to do is run searches over a large time interval to define a user's pattern of normalcy - so we should save some state in a lookup file. You might define usual as the single most-frequently used, or possibly the top over the past XX days. But, however you define normal the goal is to make a scheduled search that builds and maintains a lookup file defining normalcy.
One example of using a lookup for this purpose is here -> https://answers.splunk.com/answers/422889/how-to-search-for-newly-added-servers-by-comparing.html and another is in a .conf talk that @starcher and I did in .conf 2015. See:
http://conf.splunk.com/session/2015/recordings/2015-splunk-38.mp4
http://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf