https://community.splunk.com/t5/Splunk-Search/Creating-visualization-of-list-of-ip-address/m-p/329328#M98026 <P>I have data that has multiple (and variable) ip addresses associated with each event. </P> <P>For example:<BR /> ABCD September 11, 2017 123.123.123.3 234.234.234.234.3<BR /> SDFG September 11, 2017 234.234.234.1 23.235.243.3 345.6.74.12</P> <P>I am trying to create a map of IPs with geostats. </P> <P>I tried doing <CODE>index = abc | values(ip_addresses) | iplocation ip_addresses | geostats count by Country</CODE> but that didn't seem to work - I think iplocation doesn't work with lists. </P> <P>Any recommendations?</P> Mon, 11 Sep 2017 14:19:12 GMT andrewhlui 2017-09-11T14:19:12Z https://community.splunk.com/t5/Splunk-Search/Creating-visualization-of-list-of-ip-address/m-p/329328#M98026 <P>I have data that has multiple (and variable) ip addresses associated with each event. </P> <P>For example:<BR /> ABCD September 11, 2017 123.123.123.3 234.234.234.234.3<BR /> SDFG September 11, 2017 234.234.234.1 23.235.243.3 345.6.74.12</P> <P>I am trying to create a map of IPs with geostats. </P> <P>I tried doing <CODE>index = abc | values(ip_addresses) | iplocation ip_addresses | geostats count by Country</CODE> but that didn't seem to work - I think iplocation doesn't work with lists. </P> <P>Any recommendations?</P> Mon, 11 Sep 2017 14:19:12 GMT https://community.splunk.com/t5/Splunk-Search/Creating-visualization-of-list-of-ip-address/m-p/329328#M98026 andrewhlui 2017-09-11T14:19:12Z https://community.splunk.com/t5/Splunk-Search/Creating-visualization-of-list-of-ip-address/m-p/329329#M98027 <P>Use <CODE>mvexpand</CODE> to convert from multivalue to single value. Try the following:</P> <PRE><CODE>index = abc | stats values(ip_addresses) as ip_addresses | mvexpand ip_addresses | iplocation ip_addresses | geostats count by Country </CODE></PRE> Mon, 11 Sep 2017 14:42:44 GMT https://community.splunk.com/t5/Splunk-Search/Creating-visualization-of-list-of-ip-address/m-p/329329#M98027 niketn 2017-09-11T14:42:44Z