Well, now it seems to be detecting events, I did changed the script a little bit. Even do I got 57 events in the last 30 minutes on Real-Time, I barely see them displayed in the map (only 5 are represented, map attached). Do you know why is that?
sourcetype=fortios5* | eval source_ip_address=case(sourcetype=="fortios5_ips", source_ip, sourcetype=="fortios5_webfilter", dstip, sourcetype=="fortios5_virus", dstip, sourcetype=="fortios5_app-ctrl", destination_ip) | iplocation source_ip_address | stats count by attack, source_ip_address, lat, lon, City, Country, Region | geostats globallimit=0 locallimit=0 latfield=lat longfield=lon count by City
... View more