topic Re: Geostats Cluster Map Help in Splunk Search

Geostats Cluster Map Help

ChocolateRocket — Fri, 08 Mar 2024 17:36:59 GMT

Any reason why this can't be visualized in a geo cluster map?

source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 17.0.0.0/8) action=DROP src_ip!="162.159.192.9" | iplocation src_ip | geostats count by country

Re: Geostats Cluster Map Help

marnall — Fri, 08 Mar 2024 20:20:22 GMT

The iplocation command generates the capitalized field "Country", not "country", so it should work if you capitalize Country:

| geostats count by Country

Re: Geostats Cluster Map Help

Richfez — Fri, 08 Mar 2024 20:34:03 GMT

The field is "Country" not "country".

Try

... | iplocation src_ip | geostats count by Country

Happy Splunking!

-Rich

Re: Geostats Cluster Map Help

Richfez — Fri, 08 Mar 2024 21:53:13 GMT

Sweet, I was probably typing (got distracted) when you were posting. Glad we had the same answer. 🙂

Re: Geostats Cluster Map Help

ChocolateRocket — Sat, 09 Mar 2024 14:21:29 GMT

Good lord. that was too easy.

Appreciate the help.

I keep forgetting I'm in a 'Nix world now.

Thank goodness PowerShell doesn't mind capitalization rule breakage. 😄

Re: Geostats Cluster Map Help

ChocolateRocket — Sat, 09 Mar 2024 14:43:36 GMT

So, why is Lat/Long included as a data point? Even the tutorial I'm following has the same result, but surely there is a way to not show these since its sort of meaningless? (And don't call me Shirley!) 🙂

Re: Geostats Cluster Map Help

marnall — Sun, 10 Mar 2024 18:10:29 GMT

@ChocolateRocket, the latitude and longitude fields are generated by the iplocation command and they are used to plot the data points on the map. You could remove them but then that would break the visualization.

Good luck, we're all counting on you.

Re: Geostats Cluster Map Help

ChocolateRocket — Tue, 12 Mar 2024 15:54:08 GMT

If that is correct, then the planet earth and all humanity is in the wrong hands.

🙂