I am looking to parse apache logs to locate all users who are logged in from two or more IP addresses within a 10 minute time span.
The search I am performing appears not to be taking the timeframe into consideration or is including records with the same user and same IP within a 10 minute timeframe.
user=* clientip=* | iplocation clientip | bucket _time span=10m | stats dc(clientip) as dc_clientip values(clientip) as clientip values(City) as City values(Region) as Region values(Country) as Country by user | where dc_clientip > 1
Any assistance would be greatly appreciated.
Thanks.
... View more