I am trying to show the number of event from various source IPs on a map
when I run the command
| stats count by src_ip | sort -count
the number of events from individual IPs are quite high.
However, when I use the following command (so that I can show the heat map)
| iplocation src_ip | geostats count by src_ip | sort -count
I am seeing much smaller number of events on the map.
I must be doing something wrong. Can anyone provide me some clue?
I am using splnuk 6 with built-in maps feature
The right answer here I believe is:
| geostats count by src_ip globallimit=0
this removes the limit of the result set.
Just add in your search code the attribut globallimit=0 for rising of the number of event
Try this xml code
<row>
<panel>
<map>
<search>
your search code here …. | iplocation src_ip | geostats globallimit=0 count by src_ip
</search>
</map>
</panel>
</row>
The right answer here I believe is:
| geostats count by src_ip globallimit=0
this removes the limit of the result set.
Hi,
This command helps. Is it possible to add the City and Country details on the map when you mouse over to the results?
Thanks,
This is an example of using the native Splunk 6 map data and the Splunk CIM Web Proxy data model. This is an example of Bluecoat data that has been mapped to the CIM and visualizing the DEST IP as a location on a global map.
<row>
<panel>
<map>
<title>Countries Count by GEOIP</title>
<searchString>
| pivot Web Web count(Web) AS "Count of Proxy Events" SPLITROW dest AS dest FILTER Last_Logged_On_User is $userid$
SORT 100 dest ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | iplocation dest | table * | geostats count by dest
</searchString>
<earliestTime>$field1.earliest$</earliestTime>
<latestTime>$field1.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">all</option>
<option name="count">10</option>
<option name="mapping.data.maxClusters">100</option>
<option name="mapping.map.center">(0,0)</option>
<option name="mapping.map.zoom">2</option>
<option name="mapping.markerLayer.markerMaxSize">50</option>
<option name="mapping.markerLayer.markerMinSize">10</option>
<option name="mapping.markerLayer.markerOpacity">0.8</option>
<option name="mapping.tileLayer.maxZoom">7</option>
<option name="mapping.tileLayer.minZoom">0</option>
</map>
</panel>
</row>
Got some help from splunk support and been advised to use Google map apps and the following worked
| stats count by src_ip | eval _geo_count = count | geoip src_ip
Hi mine is the same scenario, but i am not able to see any results using the above query. Could anyone please suggest?
And im using Splunk 6.0.3