topic Re: iplocation/geostats to show events from statistics tab. in Splunk Search

iplocation/geostats to show events from statistics tab.

prithvi08 — Tue, 16 Jan 2018 21:59:12 GMT

Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following query.

index=firewalls | iplocation allfields=true src_ip | stats count by Country City

which works fine by giving me a table like:

when i click any of the city or country to view the events related to that specific region, the search extends like
index=firewalls Country=Albania | iplocation allfields=true src_ip |

which return zero results because the filed Country comes before iplocation command. i know i can search it manually by entering it at the end of the search query like.
index=firewalls | iplocation allfields=true src_ip |search Country=Albania

but im running the query on a dsashboard which returns the count for each country ,city and i want to view the event directly by clicking the respective country from the dashboard. How can i do that ? Pls advice

Re: iplocation/geostats to show events from statistics tab.

DalJeanis — Wed, 17 Jan 2018 01:05:25 GMT

In a dashboard, you could use the above search as a base search and then do postprocessing to select the country from a dropdown.

Re: iplocation/geostats to show events from statistics tab.

prithvi08 — Wed, 17 Jan 2018 03:48:01 GMT

The above search woudnt result in a table and do mean to say selecting country from dropdown list ? how do i do that ? would it eventually let me see the events related to it ?

Re: iplocation/geostats to show events from statistics tab.

mayurr98 — Wed, 17 Jan 2018 08:28:10 GMT

hey try this XML just plug and play

<form>
  <label>my dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=firewalls | iplocation allfields=true src_ip | stats count by Country City</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=index=firewalls | iplocation allfields=true src_ip | search Country="$row.Country$"&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

let me know if this helps !

Re: iplocation/geostats to show events from statistics tab.

prithvi08 — Wed, 17 Jan 2018 20:52:30 GMT

Hey..the page gets stuck loading. It doesn't seems be working.i can only see the title and its frozen at loading .