topic Can someone provide an example for Geom counts based on client IP? in Splunk Search

Can someone provide an example for Geom counts based on client IP?

spammenot66 — Thu, 17 Dec 2015 20:37:29 GMT

Hi all,

I'm trying to generate counts/hits based on client ip and create a map visualization similar to the one found on the site for 6.3 Geographic data visualizations. Can someone help and give a simple example?

Re: Can someone provide an example for Geom counts based on client IP?

s2_splunk — Thu, 17 Dec 2015 21:01:09 GMT

Try this app. It contains a myriad of dashboard examples, including one that sounds like what you are trying to achieve (Under "Basic Elements" - "Maps")

Re: Can someone provide an example for Geom counts based on client IP?

spammenot66 — Sun, 20 Dec 2015 03:41:11 GMT

i tried the app but i couldn't get it to work with iplocation which was why i asked the question in this forum.

Re: Can someone provide an example for Geom counts based on client IP?

arobbins_splunk — Tue, 29 Sep 2020 08:15:42 GMT

Something like this should work for the SPL:

assuming that the IP address you're interested in is "client_ip"

...generating search...
| iplocation client_ip
| stats count by Country
| geom geo_countries featureIdField=Country

you can then set the visualization type to Choropleth

Re: Can someone provide an example for Geom counts based on client IP?

spammenot66 — Wed, 06 Jan 2016 22:05:47 GMT

im getting the following error: "Error in 'SearchOperator:Geom': could not resolve"

Re: Can someone provide an example for Geom counts based on client IP?

arobbins_splunk — Wed, 06 Jan 2016 22:11:19 GMT

Could you post your entire search?

Re: Can someone provide an example for Geom counts based on client IP?

strangelaw — Tue, 29 Sep 2020 08:25:28 GMT

I have similar thingy ongoing. My (workable) search is:

index="feed_inputips" source="/home/splunk/inputs/inputips.csv" | lookup geo_countries longitude as Longitude, latitude as Latitude | stats count by featureId | geom geo_countries

Which allows me to have map with count of events (featureId) - but I am unable to have field 'SRC_ADDRESS' on the map - which IS available on inputips - can anyone provide assistance on this? How about captions?

Does it matter if this run on Search (viz), not on Dashboard?

Re: Can someone provide an example for Geom counts based on client IP?

arobbins_splunk — Wed, 13 Jan 2016 17:34:21 GMT

the choropleth map will only show a single aggregate split by region...

given that your aggregate is count per region, that is what the choropleth will show

Re: Can someone provide an example for Geom counts based on client IP?

spammenot66 — Tue, 29 Sep 2020 08:23:26 GMT

here's my query

sourcetype="dcapi:realtime" |
iplocation c_ip|
stats count by Country|
geom geo_countries featureIdField=Country

If i run it without the last line geom "geo_countries featureIdField=Country", it seems to return results fine
Country count
1 Spain 2
2 United States 126

But the minute i add the last line, i get the following error:
Error in 'SearchOperator:Geom': could not resolve
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Re: Can someone provide an example for Geom counts based on client IP?

arobbins_splunk — Fri, 15 Jan 2016 18:56:20 GMT

... I'm not sure how to help with that... but I'm going to get in front of someone who may... stay tuned...

Re: Can someone provide an example for Geom counts based on client IP?

jluo_splunk — Fri, 15 Jan 2016 19:03:06 GMT

Are you on Splunk 6.3? IIRC, geom wasn't implemented until 6.3. I could be wrong though...

Re: Can someone provide an example for Geom counts based on client IP?

ghendrey_splunk — Fri, 15 Jan 2016 20:09:41 GMT

it would be nice if the choropleth could render the count onto the map. It currently only shows the count when you mouseover the region.

Re: Can someone provide an example for Geom counts based on client IP?

ghendrey_splunk — Fri, 15 Jan 2016 20:17:41 GMT

Usually the geom command is applied after both a lookup has been done against the geo lookup table and the stats. This insures that each record that you stat is accompanied by the correct name of the geo-entity from the geo lookup table. Since you are not applying a geolookup, but rather just attaching a country name via geoIp, my suspicion is that the iplocation command may be attaching country names that are not in the geo spatial lookup. My further suspicion is that a blank country name is getting attached by the geoip. Then the geom command says "cannot resolve [blank]" since it cannot find the geometry for an empty country name. One thing you can do is dig out the log (inspect job through the UI, then click to see the dispatch log). I can tell a lot from those logs. The second thing is to use an eval to make sure there are no blank country names passing through from stats.

Re: Can someone provide an example for Geom counts based on client IP?

ghendrey_splunk — Fri, 15 Jan 2016 20:33:32 GMT

and post your dispatch log (inspect job)

Re: Can someone provide an example for Geom counts based on client IP?

ghendrey_splunk — Tue, 29 Sep 2020 08:23:34 GMT

I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like:
[geo_countries]
external_type=geo
filename=XXX
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root).

The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow.

Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL):
|stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat

Re: Can someone provide an example for Geom counts based on client IP?

ghendrey_splunk — Thu, 21 Jan 2016 22:39:47 GMT

again, I recommend making sure that Country is not blank in any of the geoip outputs

Re: Can someone provide an example for Geom counts based on client IP?

maraman_splunk — Tue, 29 Sep 2020 08:30:08 GMT

Hello,

just got the same error message. I had a typo just after geom...

with your version, that would give :
sourcetype="dcapi:realtime" |
iplocation c_ip|
stats count by Country|
geom geo_country featureIdField=Country

->Error in 'SearchOperator:Geom': could not resolve

fixed version
sourcetype="dcapi:realtime" |
iplocation c_ip|
stats count by Country|
geom geo_countries featureIdField=Country

Your mileage may vary but that's probably a typo in the geom command parameters (so the geom command won't find the info needed for the map, which would lead to this error I think)

Re: Can someone provide an example for Geom counts based on client IP?

spammenot66 — Wed, 02 Mar 2016 19:43:58 GMT

@ghendrey and @arobbins THANK YOU very much for your time on this item.

Re: Can someone provide an example for Geom counts based on client IP?

mikenagra — Tue, 29 Sep 2020 09:05:56 GMT

you can't use geo_countries unless you declare it first before the pipe
| lookup geo_countries longitude as Long, latitude as Lat

Re: Can someone provide an example for Geom counts based on client IP?

mikenagra — Tue, 29 Sep 2020 09:05:59 GMT

you can't use geo_countries unless you declare it first before the pipe
| lookup geo_countries longitude as Long, latitude as Lat