Hi there, so I've tried almost every combination of search terms I can think of but I can not seem to get Maps to actually map anything out. Here is a sample of our IDP output:
Jul 17 19:05:27 130.184.1.23 Jul 17 19:05:27 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 218.248.240.178, destination: 130.184.251.102, zone name: Internet, interface name: reth2.324, action: drop
I am successfully extrating the field "screen_source" which in this case would be 218.248.240.178.
Some of the search strings I have tried:
source="srx" |geoip screen_source -- returns a few matching events (not nearly enough, but no mapping)
source="srx" | lookup geo ip as screen_source -- seems to return the right number of matching events, but no mapping.
The best luck I've had is running:
source="srx" |geoip screen_source="*" --this actually maps some IP's, but only maps the first IP it sees, the source of the syslog --130.184.1.23. Not very helpful.
One more thing, on the first two searches there is no data in the GeoResults and Events tabs. The Events tab does contain the following error: "[EventsViewer module] year is out of range"
Any ideas? Thanks!
... View more