Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see users logging in from more than one country?

LANGLEYJ
New Member
‎02-09-2017 02:38 PM

I would like to only show users loging into multiple countrys. How would i manipulate this search to do that?

index="index" "Login succeeded for" | iplocation sip | stats count(sip) AS ipCount by ssl_vpn_user_name, sip, _time, Country, City | where ipCount >=1 | table _time, ssl_vpn_user_name, sip, Country, City | dedup sip

I get a similar table:

time ssl_vpn_user_name sip country city
time user1 ip Country City
time user2 ip Country City
time user3 ip Country City
time user3 DIFip DIFCountry DIFCITY

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎02-09-2017 05:56 PM

append this to your search

| eventstats dc(country) as COUNT by ssl_vpn_user_name | where COUNT > 1

View solution in original post

Reply
Solved! Jump to solution

LordIssam
Engager
‎06-09-2022 12:34 PM

Nice! thx

0 Karma
Reply
Solved! Jump to solution
Solution

pradeepkumarg
Influencer
‎02-09-2017 05:56 PM

append this to your search

| eventstats dc(country) as COUNT by ssl_vpn_user_name | where COUNT > 1

Reply
Solved! Jump to solution

LANGLEYJ
New Member
‎02-10-2017 06:50 AM

Perfect! Thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...