Solved: Why isn't this query showing iplocation statistics...

summitsplunk · ‎04-19-2018

index="myIndex" eventtype=ftnt_fgt_event subtype=system host="" eventtype=ftnt_fgt_auth_privileged status=failed src_user="" srcip=* dstip=* |stats count by src_user dstip |iplocation dstip|

The columns show but there's no data.

jerryzhao · ‎04-19-2018

iplocation can only interpret location info for public ip addresses. Are you sure dstip value is public ip?

View solution in original post

jerryzhao · ‎04-19-2018

iplocation can only interpret location info for public ip addresses. Are you sure dstip value is public ip?

summitsplunk · ‎04-19-2018

I see you have a little Fortigate symbol as your emoji. Have you ever worked with the Fortigate App for Splunk? This is what I"m using.

If so do you know how to write a query that checks for failed logins to the FW from outside a particular state?

For example all of our FW are in X state, so if we see login attempts from another state, there might be a problem.

jerryzhao · ‎04-19-2018

I think you mean srcip doesn't fall into a certain state.
index="myIndex" eventtype=ftnt_fgt_event subtype=system eventtype=ftnt_fgt_auth_privileged status=failed |iplocation srcip |where Region!="California"
This example shows all failed logins out of california

summitsplunk · ‎04-19-2018

No these where internal IPs. I did not know that.

Why isn't this query showing iplocation statistics?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!