Fairly new to Splunk so forgive the, what must be, fairly obvious question.
We have an alert setup to email us if we see logins from a user from more than one country in the last 24 hours. The search looks like:
authtype=Login.Success | iplocation sourceip | search | stats dedup_splitvals=t dc("Country") AS countrycount by "username" | where countrycount > 1
For which the output will be something like:
username countrycount
joebloggs 3
aant 2
In the email alert we can click through to the job then click on the username to review all the events, which is great, but I'd perhaps like a bit more information in the initial email alert so they can be triaged.
How can I add more fields to the output, i.e. how can I group it by username and the country name too?
... View more