How do I display results on map in 6.2

sotherlss · ‎01-21-2016

I am brand spanking new to Splunk and trying to learn the product so be patient....

I have been looking through the forums and Google and tried a lot of examples, but no go so far. I am sure it is something simple, but need guidance.

I am trying to get the results from this search to display on a map in Splunk. The goal is to show activity on a map.

src_geo=* | iplocation src_geo | geostats count by src_ip | sort -count

The search shows 442k for a 24 hour period in Events, but under Visualization/Map it shows No Results

What am I missing?

sotherlss · ‎01-22-2016

I appreciate your answer but have some follow up questions. First, when I took your example I got no results.

What does "sourcetype=access_combined" refer to? When I tried to break the search into chunks (at the pipe) I still got no results.

ncrofts_splunk · ‎01-21-2016

Have you tried using the details at this URL? It documents the Geostats command and iplocation commands which you are trying to use.

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Geostats
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Iplocation

Here is an example of a command doing what I believe you are trying to achieve.

sourcetype=access_combined clientip=* status!=200
| dedup clientip, host
| iplocation prefix=cip_ clientip
| geostats latfield=cip_lat longfield=cip_lon count by status

How do I display results on map in 6.2

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms