Cluster map not showing all countries

aba83 · ‎06-07-2017

Hi all,
I'm trying to create a cluster map out of this search string. It looks at distinct user logins from each country. When I run this string, I get a return of about 15 different countries that all have a different count.

(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*)
     OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless) OR (index=mensa_exchange-prod cs_User_Agent="Microsoft+Office*" sc_status=200 cs_username=*)
     | append [ search index=mensa_radius-prod vendor=Microsoft NOT Wireless 
               | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success ]
     | eval clientIP=if(index="mensa_exchange-prod",OriginalIP,tunnel_client_endpoint)
     | rename cs_username AS User
     | iplocation clientIP
     | search Country=*
     | rex field=user "\w{3}\\\(?<user>\S+)" 
     | eval User=lower(user) 
     | stats dc(User) by Country

When I change the "stats" command to "geostats" it only shows logins from the US for some reason. What am I missing? Thanks in advance.

DalJeanis · ‎06-07-2017

First, fix the case of the fields named User or user, then rerun.

If you are still having problems, post again.

aba83 · ‎06-08-2017

What did you mean by fix the case of the fields named User?

DalJeanis · ‎09-25-2017

@aba83 - sorry for the delay. Hopefully you've figured it out by now. You have lower case user in line 4 which gets used as source for the rex in line 9 and overridden by its output, upper case in line 6 which gets overridden by line 10 and then used in line 11.

Cluster map not showing all countries

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!