Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

iplocation/geostats to show events from statistics tab.

prithvi08
Engager
‎01-16-2018 01:59 PM

Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following query.

index=firewalls | iplocation allfields=true src_ip | stats count by Country City

which works fine by giving me a table like:

Country | City | count
Albania | Durres | 5
Argentina | Abel | 7
.
.
.

when i click any of the city or country to view the events related to that specific region, the search extends like
index=firewalls Country=Albania | iplocation allfields=true src_ip |

which return zero results because the filed Country comes before iplocation command. i know i can search it manually by entering it at the end of the search query like.
index=firewalls | iplocation allfields=true src_ip |search Country=Albania

but im running the query on a dsashboard which returns the count for each country ,city and i want to view the event directly by clicking the respective country from the dashboard. How can i do that ? Pls advice

Tags (2)
0 Karma
Reply

mayurr98
Super Champion
‎01-17-2018 12:28 AM

hey try this XML just plug and play

<form>
  <label>my dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=firewalls | iplocation allfields=true src_ip | stats count by Country City</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=index=firewalls | iplocation allfields=true src_ip | search Country="$row.Country$"&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

let me know if this helps !

0 Karma
Reply

prithvi08
Engager
‎01-17-2018 12:52 PM

Hey..the page gets stuck loading. It doesn't seems be working.i can only see the title and its frozen at loading .

0 Karma
Reply

DalJeanis
Legend
‎01-16-2018 05:05 PM

In a dashboard, you could use the above search as a base search and then do postprocessing to select the country from a dropdown.

0 Karma
Reply

prithvi08
Engager
‎01-16-2018 07:48 PM

The above search woudnt result in a table and do mean to say selecting country from dropdown list ? how do i do that ? would it eventually let me see the events related to it ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...