Thanks for the response. Just had a quick scroll through the REST API, not sure if that's what I'm looking for, however I will have a better read 'morrow when I wake up.
Just to clarify, the search will pick out users that try to ssh into the server from more than one ip address.
So for instance if the user 'andy' tries to ssh in from 192.168.0.2 and 192.168.1.5 the alert will fire off. What I'm trying to do is pass the value of the username, in this case 'andy', to the script, so that I could for example change the motd on the router to something like " Andy tried to login from 2 IPs "
... View more