Hi there, so I've tried almost every combination of search terms I can think of but I can not seem to get Maps to actually map anything out. Here is a sample of our IDP output:
Jul 17 19:05:27 130.184.1.23 Jul 17 19:05:27 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 218.248.240.178, destination: 130.184.251.102, zone name: Internet, interface name: reth2.324, action: drop
I am successfully extrating the field "screen_source" which in this case would be 218.248.240.178.
Some of the search strings I have tried:
source="srx" |geoip screen_source
-- returns a few matching events (not nearly enough, but no mapping)
source="srx" | lookup geo ip as screen_source
-- seems to return the right number of matching events, but no mapping.
The best luck I've had is running:
source="srx" |geoip screen_source="*"
--this actually maps some IP's, but only maps the first IP it sees, the source of the syslog --130.184.1.23. Not very helpful.
One more thing, on the first two searches there is no data in the GeoResults and Events tabs. The Events tab does contain the following error: "[EventsViewer module] year is out of range"
Any ideas? Thanks!
Seems like your extraction does not work as you might expect. Could provide the extract extraction definition? What do you mean by "no mapping"?
The last search probably does not what you would want it to do. geoip screen_source="*"
does exactly the same as simply calling geoip
since screen_source is not a valid option. When you're passing an argument in the form of <key>=<value>
it's interpreted as option not as a keyword/argument.
Seems like your extraction does not work as you might expect. Could provide the extract extraction definition? What do you mean by "no mapping"?
The last search probably does not what you would want it to do. geoip screen_source="*"
does exactly the same as simply calling geoip
since screen_source is not a valid option. When you're passing an argument in the form of <key>=<value>
it's interpreted as option not as a keyword/argument.
This ended up being the problem, the extraction wasn't visible to the maps app. Thanks for responding!
Is the extraction visible in the maps app? Did you turn on global sharing for it?
Hi Ziegfried, here is the regex for screen_source:
(?i) source: (?P
And my "no mapping" I mean that nothing shows up on the google maps map, within the app running the queries I referenced above. (save for the last query which deos maps, but just not the right IP).