Re: Cluster map not showing all countries

aba83 · ‎06-07-2017

Hi all,
I'm trying to create a cluster map out of this search string. It looks at distinct user logins from each country. When I run this string, I get a return of about 15 different countries that all have a different count.

(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*)
     OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless) OR (index=mensa_exchange-prod cs_User_Agent="Microsoft+Office*" sc_status=200 cs_username=*)
     | append [ search index=mensa_radius-prod vendor=Microsoft NOT Wireless 
               | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success ]
     | eval clientIP=if(index="mensa_exchange-prod",OriginalIP,tunnel_client_endpoint)
     | rename cs_username AS User
     | iplocation clientIP
     | search Country=*
     | rex field=user "\w{3}\\\(?<user>\S+)" 
     | eval User=lower(user) 
     | stats dc(User) by Country

When I change the "stats" command to "geostats" it only shows logins from the US for some reason. What am I missing? Thanks in advance.

DalJeanis · ‎06-07-2017

First, fix the case of the fields named User or user, then rerun.

If you are still having problems, post again.

aba83 · ‎06-08-2017

What did you mean by fix the case of the fields named User?

DalJeanis · ‎09-25-2017

@aba83 - sorry for the delay. Hopefully you've figured it out by now. You have lower case user in line 4 which gets used as source for the rex in line 9 and overridden by its output, upper case in line 6 which gets overridden by line 10 and then used in line 11.

Cluster map not showing all countries

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!