I would like to only show users loging into multiple countrys. How would i manipulate this search to do that?
index="index" "Login succeeded for" | iplocation sip | stats count(sip) AS ipCount by ssl_vpn_user_name, sip, _time, Country, City | where ipCount >=1 | table _time, ssl_vpn_user_name, sip, Country, City | dedup sip
I get a similar table:
time ssl_vpn_user_name sip country city
time user1 ip Country City
time user2 ip Country City
time user3 ip Country City
time user3 DIFip DIFCountry DIFCITY
append this to your search
| eventstats dc(country) as COUNT by ssl_vpn_user_name | where COUNT > 1
Nice! thx
append this to your search
| eventstats dc(country) as COUNT by ssl_vpn_user_name | where COUNT > 1
Perfect! Thank you very much!