I am brand spanking new to Splunk and trying to learn the product so be patient....
I have been looking through the forums and Google and tried a lot of examples, but no go so far. I am sure it is something simple, but need guidance.
I am trying to get the results from this search to display on a map in Splunk. The goal is to show activity on a map.
src_geo=* | iplocation src_geo | geostats count by src_ip | sort -count
The search shows 442k for a 24 hour period in Events, but under Visualization/Map it shows No Results
What am I missing?
I appreciate your answer but have some follow up questions. First, when I took your example I got no results.
What does "sourcetype=access_combined" refer to? When I tried to break the search into chunks (at the pipe) I still got no results.
Have you tried using the details at this URL? It documents the Geostats command and iplocation commands which you are trying to use.
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Geostats
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Iplocation
Here is an example of a command doing what I believe you are trying to achieve.
sourcetype=access_combined clientip=* status!=200
| dedup clientip, host
| iplocation prefix=cip_ clientip
| geostats latfield=cip_lat longfield=cip_lon count by status