All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cluster map not showing all countries

aba83
Explorer
‎06-07-2017 03:42 PM

Hi all,
I'm trying to create a cluster map out of this search string. It looks at distinct user logins from each country. When I run this string, I get a return of about 15 different countries that all have a different count. 

(index=mensa_exchange-prod sourcetype=iis cs_uri_stem="/owa/auth.owa" NOT LogoffReason=* OriginalIP=*)
     OR (index=mensa_radius-prod acct_status_type=1 acct_delay_time=0 vendor=Reserved NOT Wireless) OR (index=mensa_exchange-prod cs_User_Agent="Microsoft+Office*" sc_status=200 cs_username=*)
     | append [ search index=mensa_radius-prod vendor=Microsoft NOT Wireless 
               | transaction user, Client_Friendly_Name maxspan=1 startswith=acct_session_id=* endswith=action=success ]
     | eval clientIP=if(index="mensa_exchange-prod",OriginalIP,tunnel_client_endpoint)
     | rename cs_username AS User
     | iplocation clientIP
     | search Country=*
     | rex field=user "\w{3}\\\(?<user>\S+)" 
     | eval User=lower(user) 
     | stats dc(User) by Country

When I change the "stats" command to "geostats" it only shows logins from the US for some reason. What am I missing? Thanks in advance.

0 Karma
Reply

DalJeanis
Legend
‎06-07-2017 07:07 PM

First, fix the case of the fields named User or user, then rerun.

If you are still having problems, post again.

0 Karma
Reply

aba83
Explorer
‎06-08-2017 02:27 PM

What did you mean by fix the case of the fields named User?

0 Karma
Reply

DalJeanis
Legend
‎09-25-2017 04:31 PM

@aba83 - sorry for the delay. Hopefully you've figured it out by now. You have lower case user in line 4 which gets used as source for the rex in line 9 and overridden by its output, upper case in line 6 which gets overridden by line 10 and then used in line 11.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...