Splunk Search

iplocation geostats show count of events from source ip on Google map

ashabc
Contributor

I am trying to show the number of event from various source IPs on a map

when I run the command

| stats count by src_ip | sort  -count 

the number of events from individual IPs are quite high.

However, when I use the following command (so that I can show the heat map)

| iplocation src_ip | geostats count by src_ip | sort -count

I am seeing much smaller number of events on the map.

I must be doing something wrong. Can anyone provide me some clue?

I am using splnuk 6 with built-in maps feature

0 Karma
1 Solution

Lazarix
Communicator

The right answer here I believe is:

| geostats count by src_ip globallimit=0

this removes the limit of the result set.

View solution in original post

chimell
Motivator
Just add in your search code the attribut  globallimit=0  for  rising of  the number of event
     Try this xml code 
            <row>
                 <panel>
                    <map>
                     <search>
                     your search code here …. | iplocation   src_ip | geostats    globallimit=0  count by src_ip 
                     </search>
                    </map>
                    </panel>
             </row>
0 Karma

Lazarix
Communicator

The right answer here I believe is:

| geostats count by src_ip globallimit=0

this removes the limit of the result set.

sympatiko
Communicator

Hi,

This command helps. Is it possible to add the City and Country details on the map when you mouse over to the results?

Thanks,

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

This is an example of using the native Splunk 6 map data and the Splunk CIM Web Proxy data model. This is an example of Bluecoat data that has been mapped to the CIM and visualizing the DEST IP as a location on a global map.

  <row>    
    <panel>
      <map>
        <title>Countries Count by GEOIP</title>
        <searchString>
| pivot Web Web count(Web) AS "Count of Proxy Events"  SPLITROW dest AS dest FILTER Last_Logged_On_User is $userid$   
SORT 100 dest ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | iplocation dest | table * | geostats count by dest 
        </searchString>
        <earliestTime>$field1.earliest$</earliestTime>
        <latestTime>$field1.latest$</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">all</option>
        <option name="count">10</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
      </map>
    </panel>
  </row>
0 Karma

ashabc
Contributor

Got some help from splunk support and been advised to use Google map apps and the following worked

| stats count by src_ip | eval _geo_count = count | geoip src_ip
0 Karma

splunkn
Communicator

Hi mine is the same scenario, but i am not able to see any results using the above query. Could anyone please suggest?
And im using Splunk 6.0.3

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...