All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help understanding Google Maps results

soundchaos
Path Finder
‎07-30-2014 10:49 AM

I need to be able to get useful data out of the following search:

index="logs" source="mywebsite" | stats dc(cs_username) as Users by c_ip | where Users > 4 | geoip c_ip


The search (in theory) should show me a location where a single IP address has more than 4 users. What I can't see is the actual IP address, and numbers in the circles don't make any sense, I would like the number to be how many users there are, and I would like to be able to click on, hover over, or have some way to easily see the IP address. As it stands, I have no way to see the IP address without doing a completely separate search without geoip

edit: Right now, if I do click on one of the results, it puts the search in a new window and adds _geo="43.6135,-116.2035" to the parameters, but it always gives me "No results found."

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-01-2014 02:16 PM

You could try out Splunk 6's built-in geolocation and mapping capabilities.

index=logs source=mywebsite | stats dc(cs_username) as Users by c_ip | where Users > 4 | iplocation c_ip | geostats count by c_ip

Set the visualization to Map in the UI (6.1) or in SimpleXML source (6.0).

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/iplocation
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/geostats

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-01-2014 02:16 PM

You could try out Splunk 6's built-in geolocation and mapping capabilities.

index=logs source=mywebsite | stats dc(cs_username) as Users by c_ip | where Users > 4 | iplocation c_ip | geostats count by c_ip

Set the visualization to Map in the UI (6.1) or in SimpleXML source (6.0).

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/iplocation
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/geostats

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 03:42 AM

If your problem is any different from this question then please create a new question.

If your problem is the same then just use the answer above and adapt to your field names.

0 Karma
Reply
Solved! Jump to solution

splunkn
Communicator
‎08-14-2014 03:12 AM

martin_mueller am having user id and src_ip. how i could display the top 10 users in map? any ideas

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-04-2014 11:08 AM

Yeah, my search counts the stats results by c_ip, which will always give you one. You can use different geostats functions, such as sum(Users) by c_ip depending on what you want.

0 Karma
Reply
Solved! Jump to solution

soundchaos
Path Finder
‎08-04-2014 09:43 AM

This is the first time I have got the built in one to give me any results! Thank you! Now my problem with it is that the count is not working, it shows 1 count for every IP now.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...