How to narrow search results from a cluster map by...

russelljesse · ‎06-26-2018

I have a dashboard with a cluster map in a panel that runs the following search:

source="whatever.log" | dedup ipaddr | iplocation allfields=true ipaddr | geostats count by Country

To plot out a map based on ip address.

I want to click on a cluster on the cluster map and have it show the events within the boundaries of that latitude and longitude that were determined by iplocation | geostats, so I am setting the $map.click.boundary$ tokens in my cluster map and then in another dashboard panel running the following search:

source="whatever.log" | dedup ipaddr | iplocation allfields=true ipaddr | geostats count by Country | search latitude>=$map.click.south$ latitude<=$map.click.north$ longitude>=$map.click.west$ longitude<=$map.click.east$

But this does not produce event results within the latitude/longitude boundaries of the cluster that I click. It seems like I get all events.

Any ideas?

dhirendra761 · ‎12-04-2018

This app will be helpful:
https://splunkbase.splunk.com/app/3124/

russelljesse · ‎06-26-2018

I figured it out, was mostly just a syntax error on my part. I ended up with:

source="whatever.log" | iplocation allfields=true ipaddr | search((lat>=$map.click.south$ AND lat<$map.click.north$) AND (lon>=$map.click.west$ AND lon<$map.click.east$)) | table user,ipaddr,City,Region,Country

to show the info from a cluster map in another pane in table form when clicking on a cluster in said cluster map.

How to narrow search results from a cluster map by iplocation and geostats?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!