GeoIP - how to only show users who are or have logged on from multiple locations

FinT · March 10, 2021, 2:06pm

elastic stack 6.5.1. This question can be applied to any similar query to filter events.

I have visualised users (donut) who have logged in remotely. The inner ring shows users, the outer shows countries. Due to the large number of users, I have two views the the same data, UK and non-UK, but I would like to have one that only shows users who have remotely connected from more than country/city. Of course, this does show users who have multiple coloured outer ring segment, meaning multiple countries.

The raw data is similar to

userA "ip address 1.2.3.4" "country01" "100 times"
userA "ip address 2.3.4.5" "country02" "30 times"
userB "ip address 3.4.5.6" "country03" "2098 times"

I want to filter only users with multiple countries.

donut

Thanks for your time.

jbudz · March 11, 2021, 12:49am

Hmm - it may be difficult without reorganizing the data. We would need a way to join documents - where usernames match. If we can get all the IP data in the same document then we would have options for creating a flag to filter on.

Without changing the source data, maybe something like a terms aggregation on user and { min_doc_count: 2 } in the Advanced -> JSON Input section may help.

FinT · March 11, 2021, 10:30am

Thanks for your insight Jon. Appreciated.

Felix_Roessel · March 13, 2021, 5:50pm

You could add the information you want using a transform. The resulting index can be used to visualize the data.

system · April 10, 2021, 5:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.