Solved: Why isn't this query showing iplocation statistics...

summitsplunk · ‎04-19-2018

index="myIndex" eventtype=ftnt_fgt_event subtype=system host="" eventtype=ftnt_fgt_auth_privileged status=failed src_user="" srcip=* dstip=* |stats count by src_user dstip |iplocation dstip|

The columns show but there's no data.

jerryzhao · ‎04-19-2018

iplocation can only interpret location info for public ip addresses. Are you sure dstip value is public ip?

View solution in original post

jerryzhao · ‎04-19-2018

iplocation can only interpret location info for public ip addresses. Are you sure dstip value is public ip?

summitsplunk · ‎04-19-2018

I see you have a little Fortigate symbol as your emoji. Have you ever worked with the Fortigate App for Splunk? This is what I"m using.

If so do you know how to write a query that checks for failed logins to the FW from outside a particular state?

For example all of our FW are in X state, so if we see login attempts from another state, there might be a problem.

jerryzhao · ‎04-19-2018

I think you mean srcip doesn't fall into a certain state.
index="myIndex" eventtype=ftnt_fgt_event subtype=system eventtype=ftnt_fgt_auth_privileged status=failed |iplocation srcip |where Region!="California"
This example shows all failed logins out of california

summitsplunk · ‎04-19-2018

No these where internal IPs. I did not know that.

Why isn't this query showing iplocation statistics?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms