Hi, I'm having a bit of an issue with the Geographically Improbable Access panel in the Access Anomalies dashboard of the InfoSec app. Basically, if I add a "search user=username" into the search powering it, I get a hit but without it I don't so for a given time period, I'm getting two results for the specified user if I search explicitly for them which look to be genuine but I don't see them on the general search. This is the search (I've mark my additional username search in bold): | tstats summariesonly=true allow_old_summaries=true values(Authentication.app) as app from datamodel=Authentication.Authentication where Authentication.action=success by Authentication.user, Authentication.src _time span=1s | rename "Authentication.*" as "*" | eventstats dc(src) as src_count by user | search user=username | search src_count>1 | sort 0 + _time | iplocation src | where isnotnull(lat) AND isnotnull(lon) | streamstats window=2 earliest(lat) as prev_lat, earliest(lon) as prev_lon, earliest(_time) as prev_time, earliest(src) as prev_src, earliest(City) as prev_city, earliest(Country) as prev_country, earliest(app) as prev_app by user | where (src != prev_src) | eval lat1_r=((lat * 3.14159265358) / 180), lat2_r=((prev_lat * 3.14159265358) / 180), delta=(((prev_lon - lon) * 3.14159265358) / 180), distance=(3959 * acos(((sin(lat1_r) * sin(lat2_r)) + ((cos(lat1_r) * cos(lat2_r)) * cos(delta))))), distance=round(distance,2) | fields - lat1_r, lat2_r, long1_r, long2_r, delta | eval time_diff=if((('_time' - prev_time) == 0),1,('_time' - prev_time)), speed=round(((distance * 3600) / time_diff),2) | where (speed > 500) | eval prev_time=strftime(prev_time,"%Y-%m-%d %H:%M:%S") | table user, src, _time, City, Country, app, prev_src, prev_time, prev_city, prev_country, prev_app, distance, speed Anyone got any ideas what's going on? @igifrin_splunk Thanks
... View more