topic Re: iplocation geostats show count of events from source ip on Google map in Splunk Search

iplocation geostats show count of events from source ip on Google map

ashabc — Fri, 07 Feb 2014 01:29:03 GMT

I am trying to show the number of event from various source IPs on a map

when I run the command

| stats count by src_ip | sort  -count

the number of events from individual IPs are quite high.

However, when I use the following command (so that I can show the heat map)

| iplocation src_ip | geostats count by src_ip | sort -count

I am seeing much smaller number of events on the map.

I must be doing something wrong. Can anyone provide me some clue?

I am using splnuk 6 with built-in maps feature

Re: iplocation geostats show count of events from source ip on Google map

ashabc — Wed, 12 Feb 2014 10:19:14 GMT

Got some help from splunk support and been advised to use Google map apps and the following worked

| stats count by src_ip | eval _geo_count = count | geoip src_ip

Re: iplocation geostats show count of events from source ip on Google map

splunkn — Mon, 18 Aug 2014 13:26:37 GMT

Hi mine is the same scenario, but i am not able to see any results using the above query. Could anyone please suggest?
And im using Splunk 6.0.3

Re: iplocation geostats show count of events from source ip on Google map

mcronkrite — Sun, 21 Sep 2014 23:39:01 GMT

This is an example of using the native Splunk 6 map data and the Splunk CIM Web Proxy data model. This is an example of Bluecoat data that has been mapped to the CIM and visualizing the DEST IP as a location on a global map.

  <row>    
    <panel>
      <map>
        <title>Countries Count by GEOIP</title>
        <searchString>
| pivot Web Web count(Web) AS "Count of Proxy Events"  SPLITROW dest AS dest FILTER Last_Logged_On_User is $userid$   
SORT 100 dest ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | iplocation dest | table * | geostats count by dest 
        </searchString>
        <earliestTime>$field1.earliest$</earliestTime>
        <latestTime>$field1.latest$</latestTime>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">all</option>
        <option name="count">10</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
      </map>
    </panel>
  </row>

Re: iplocation geostats show count of events from source ip on Google map

Lazarix — Fri, 14 Nov 2014 10:36:10 GMT

The right answer here I believe is:

| geostats count by src_ip globallimit=0

this removes the limit of the result set.

Re: iplocation geostats show count of events from source ip on Google map

sympatiko — Tue, 09 Dec 2014 05:40:56 GMT

Hi,

This command helps. Is it possible to add the City and Country details on the map when you mouse over to the results?

Thanks,

Re: iplocation geostats show count of events from source ip on Google map

chimell — Fri, 12 Dec 2014 12:54:12 GMT

Just add in your search code the attribut  globallimit=0  for  rising of  the number of event
     Try this xml code 
            <row>
                 <panel>
                    <map>
                     <search>
                     your search code here …. | iplocation   src_ip | geostats    globallimit=0  count by src_ip 
                     </search>
                    </map>
                    </panel>
             </row>