Comments and answers for "Geographically improbable Access Using iplocation"
https://answers.splunk.com/answers/763673/geographicallyimprobableaccessusingiplocation.html
The latest comments and answers for the question "Geographically improbable Access Using iplocation"

Comment by jawaharas on jawaharas's answer
https://answers.splunk.com/comments/764513/view.html
@JRamirezEnosys
Can you upvote and accept the answer if it's helped you? Thanks.
Fri, 09 Aug 2019 06:05:19 GMT
jawaharas

Answer by jawaharas
https://answers.splunk.com/answering/763210/view.html
You can use below query based on [Haversine_formula][1]
[BASE SEARCH]
 dedup user_id, clientip
 eval time1=_time
 map maxsearches=99 search="search [BASE SEARCH]
 eval clientip1=$clientip$, time1=$time1$, time2=_time
 search user_id=$user_id$ clientip!=clientip1
 dedup user_id, clientip
 rename clientip as clientip2"
 where clientip1!=clientip2
 iplocation clientip1
 eval lat1=lat, lon1=lon, city1=City, country1=Country
 iplocation clientip2
 eval lat2=lat, lon2=lon , city2=City, country2=Country
 eval rlat1 = pi()*lat1/180, rlat2=pi()*lat2/180, rlat = pi()*(lat2lat1)/180, rlon= pi()*(lon2lon1)/180
 eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2)
 eval c = 2 * atan2(sqrt(a), sqrt(1a))
 eval distance = 6371 * c
 eval timestamp1=strftime(time1, "%y%m%d %H:%M:%S"), timestamp2=strftime(time2, "%y%m%d %H:%M:%S")
 table user_id, timestamp1, clientip1, city1, country1, timestamp2,clientip2, city2, country2, distance
 rename distance as "distance in KM"
**Sample output:**
![alt text][2]
[1]: https://en.wikipedia.org/wiki/Haversine_formula
[2]: /storage/temp/273384harvesianformula.png
Wed, 07 Aug 2019 05:44:02 GMT
jawaharas