Hi,
I have installed Google Maps Add-on for Splunk Entperise in Splunk 6.3.2. In the add-on, when I run the search:
index=wineventlog sourcetype=wineventlog:security EventCode=4625 src_ip=* | geoip src_ip....
I am able to see the results in a map. With that result, I created a dashboard, but in the dashboard, I am unable to see the result in a map. It's only giving me the events. How can I achieve getting the results in a map instead of raw events?
Thanks!
Win_Auth_Failure
<panel>
<map>
<title>Auth Failure</title>
<search>
<query>index=wineventlog sourcetype=wineventlog:security EventCode=4625 src_ip=* | geoip src_ip</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="mapping.type">marker</option>
<option name="mapping.choroplethLayer.colorBins">5</option>
<option name="mapping.choroplethLayer.colorMode">auto</option>
<option name="mapping.choroplethLayer.maximumColor">0xDB5800</option>
<option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option>
<option name="mapping.choroplethLayer.neutralPoint">0</option>
<option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
<option name="mapping.choroplethLayer.showBorder">1</option>
<option name="mapping.data.maxClusters">100</option>
<option name="mapping.map.center">(0,0)</option>
<option name="mapping.map.panning">true</option>
<option name="mapping.map.scrollZoom">1</option>
<option name="mapping.map.zoom">2</option>
<option name="mapping.markerLayer.markerMaxSize">50</option>
<option name="mapping.markerLayer.markerMinSize">10</option>
<option name="mapping.markerLayer.markerOpacity">0.8</option>
<option name="mapping.showTiles">1</option>
<option name="mapping.tileLayer.maxZoom">19</option>
<option name="mapping.tileLayer.minZoom">0</option>
<option name="mapping.tileLayer.tileOpacity">1</option>
<option name="drilldown">all</option>
<option name="mapping.tileLayer.url">http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png</option>
</map>
</panel>
Try this:
index=wineventlog sourcetype=wineventlog:security EventCode=4625 | stats count BY src_ip | geoip src_ip
Or maybe:
index=wineventlog sourcetype=wineventlog:security EventCode=4625 | stats count BY src_ip | lookup geo src_ip