Hi Splunkers,
I have a query that gives me the following fields I want to work with.
username
Country (after using iplocation on src_ip)
Some usernames have login from more than 2 countries.
I want to see it on a chart that shows me the top 5 usernames based on how many countries they have log in and which countries are those.
I believe I need to use dc(Country) at some point
This is my search string
index=main event=sso status=success ip!=10.0.0.0/8 | regex subject=^\D\d+$ | iplocation ip | stats dc(Country) by subject
Based on your description and code, I have to assume that the field "subject" is holding the username...
Try this
index=main event=sso status=success ip!=10.0.0.0/8 | regex subject=^\D\d+$ | iplocation ip | stats dc(Country) as Country_count values(Country) as Countries by subject | sort 5 - Country_count
If your end goal is to see the chart, try this version and select a stacked column/bar chart.
index=main event=sso status=success ip!=10.0.0.0/8 | regex subject=^\D\d+$ | iplocation ip | stats dc(Country) as Country_count values(Country) as Countries by subject | sort 5 - Country_count
| mvexpand Countries | chart count over subject by Countries