All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help understanding Google Maps results

soundchaos
Path Finder
‎07-30-2014 10:49 AM

I need to be able to get useful data out of the following search:

index="logs" source="mywebsite" | stats dc(cs_username) as Users by c_ip | where Users > 4 | geoip c_ip


The search (in theory) should show me a location where a single IP address has more than 4 users. What I can't see is the actual IP address, and numbers in the circles don't make any sense, I would like the number to be how many users there are, and I would like to be able to click on, hover over, or have some way to easily see the IP address. As it stands, I have no way to see the IP address without doing a completely separate search without geoip

edit: Right now, if I do click on one of the results, it puts the search in a new window and adds _geo="43.6135,-116.2035" to the parameters, but it always gives me "No results found."

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-01-2014 02:16 PM

You could try out Splunk 6's built-in geolocation and mapping capabilities.

index=logs source=mywebsite | stats dc(cs_username) as Users by c_ip | where Users > 4 | iplocation c_ip | geostats count by c_ip

Set the visualization to Map in the UI (6.1) or in SimpleXML source (6.0).

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/iplocation
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/geostats

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-01-2014 02:16 PM

You could try out Splunk 6's built-in geolocation and mapping capabilities.

index=logs source=mywebsite | stats dc(cs_username) as Users by c_ip | where Users > 4 | iplocation c_ip | geostats count by c_ip

Set the visualization to Map in the UI (6.1) or in SimpleXML source (6.0).

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/iplocation
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/geostats

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 03:42 AM

If your problem is any different from this question then please create a new question.

If your problem is the same then just use the answer above and adapt to your field names.

0 Karma
Reply
Solved! Jump to solution

splunkn
Communicator
‎08-14-2014 03:12 AM

martin_mueller am having user id and src_ip. how i could display the top 10 users in map? any ideas

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-04-2014 11:08 AM

Yeah, my search counts the stats results by c_ip, which will always give you one. You can use different geostats functions, such as sum(Users) by c_ip depending on what you want.

0 Karma
Reply
Solved! Jump to solution

soundchaos
Path Finder
‎08-04-2014 09:43 AM

This is the first time I have got the built in one to give me any results! Thank you! Now my problem with it is that the count is not working, it shows 1 count for every IP now.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...