I want to show a map or country list of where connections are coming from in a search result of our Firewall events. How do I do this?
You can use the iplocation command, passing it the field that contains the IP to get fields like CIty, Country, Region, lon (longitude), lat (latitude). Using stats you can get a list of countries with the count for each.
src_ip=* | iplocation src_ip | stats count by Country
To plot these on a map, use the geostats command instead of stats, and select the geographical map visualization on your Visualization tab.
src_ip=* | iplocation src_ip | geostats count by Country
You can use the iplocation command, passing it the field that contains the IP to get fields like CIty, Country, Region, lon (longitude), lat (latitude). Using stats you can get a list of countries with the count for each.
src_ip=* | iplocation src_ip | stats count by Country
To plot these on a map, use the geostats command instead of stats, and select the geographical map visualization on your Visualization tab.
src_ip=* | iplocation src_ip | geostats count by Country