All Apps and Add-ons

How to show visualization of location map of source IPs?

bayman
Path Finder

I want to show a map or country list of where connections are coming from in a search result of our Firewall events. How do I do this?

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

You can use the iplocation command, passing it the field that contains the IP to get fields like CIty, Country, Region, lon (longitude), lat (latitude). Using stats you can get a list of countries with the count for each.

src_ip=* | iplocation src_ip | stats count by Country

To plot these on a map, use the geostats command instead of stats, and select the geographical map visualization on your Visualization tab.

src_ip=* | iplocation src_ip | geostats count by Country

View solution in original post

kmorris_splunk
Splunk Employee
Splunk Employee

You can use the iplocation command, passing it the field that contains the IP to get fields like CIty, Country, Region, lon (longitude), lat (latitude). Using stats you can get a list of countries with the count for each.

src_ip=* | iplocation src_ip | stats count by Country

To plot these on a map, use the geostats command instead of stats, and select the geographical map visualization on your Visualization tab.

src_ip=* | iplocation src_ip | geostats count by Country
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...