- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Need Help with Google Maps search string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, so I've tried almost every combination of search terms I can think of but I can not seem to get Maps to actually map anything out. Here is a sample of our IDP output:
Jul 17 19:05:27 130.184.1.23 Jul 17 19:05:27 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 218.248.240.178, destination: 130.184.251.102, zone name: Internet, interface name: reth2.324, action: drop
I am successfully extrating the field "screen_source" which in this case would be 218.248.240.178.
Some of the search strings I have tried:
source="srx" |geoip screen_source -- returns a few matching events (not nearly enough, but no mapping)
source="srx" | lookup geo ip as screen_source -- seems to return the right number of matching events, but no mapping.
The best luck I've had is running:
source="srx" |geoip screen_source="*" --this actually maps some IP's, but only maps the first IP it sees, the source of the syslog --130.184.1.23. Not very helpful.
One more thing, on the first two searches there is no data in the GeoResults and Events tabs. The Events tab does contain the following error: "[EventsViewer module] year is out of range"
Any ideas? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like your extraction does not work as you might expect. Could provide the extract extraction definition? What do you mean by "no mapping"?
The last search probably does not what you would want it to do. geoip screen_source="*" does exactly the same as simply calling geoip since screen_source is not a valid option. When you're passing an argument in the form of <key>=<value> it's interpreted as option not as a keyword/argument.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like your extraction does not work as you might expect. Could provide the extract extraction definition? What do you mean by "no mapping"?
The last search probably does not what you would want it to do. geoip screen_source="*" does exactly the same as simply calling geoip since screen_source is not a valid option. When you're passing an argument in the form of <key>=<value> it's interpreted as option not as a keyword/argument.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This ended up being the problem, the extraction wasn't visible to the maps app. Thanks for responding!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the extraction visible in the maps app? Did you turn on global sharing for it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ziegfried, here is the regex for screen_source:
(?i) source: (?P
And my "no mapping" I mean that nothing shows up on the google maps map, within the app running the queries I referenced above. (save for the last query which deos maps, but just not the right IP).
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
