All Apps and Add-ons

How to show visualization of location map of source IPs?

bayman
Path Finder

I want to show a map or country list of where connections are coming from in a search result of our Firewall events. How do I do this?

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

You can use the iplocation command, passing it the field that contains the IP to get fields like CIty, Country, Region, lon (longitude), lat (latitude). Using stats you can get a list of countries with the count for each.

src_ip=* | iplocation src_ip | stats count by Country

To plot these on a map, use the geostats command instead of stats, and select the geographical map visualization on your Visualization tab.

src_ip=* | iplocation src_ip | geostats count by Country

View solution in original post

kmorris_splunk
Splunk Employee
Splunk Employee

You can use the iplocation command, passing it the field that contains the IP to get fields like CIty, Country, Region, lon (longitude), lat (latitude). Using stats you can get a list of countries with the count for each.

src_ip=* | iplocation src_ip | stats count by Country

To plot these on a map, use the geostats command instead of stats, and select the geographical map visualization on your Visualization tab.

src_ip=* | iplocation src_ip | geostats count by Country
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...