Solved: Creating visualization of list of ip address

andrewhlui · ‎09-11-2017

I have data that has multiple (and variable) ip addresses associated with each event.

For example:
ABCD September 11, 2017 123.123.123.3 234.234.234.234.3
SDFG September 11, 2017 234.234.234.1 23.235.243.3 345.6.74.12

I am trying to create a map of IPs with geostats.

I tried doing index = abc | values(ip_addresses) | iplocation ip_addresses | geostats count by Country but that didn't seem to work - I think iplocation doesn't work with lists.

Any recommendations?

niketn · ‎09-11-2017

Use mvexpand to convert from multivalue to single value. Try the following:

index = abc 
| stats values(ip_addresses) as ip_addresses 
| mvexpand ip_addresses 
| iplocation ip_addresses 
| geostats count by Country

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎09-11-2017

Use mvexpand to convert from multivalue to single value. Try the following:

index = abc 
| stats values(ip_addresses) as ip_addresses 
| mvexpand ip_addresses 
| iplocation ip_addresses 
| geostats count by Country

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Creating visualization of list of ip address

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!