Help/Suggestions on creating a heat map/cholopleth...

mariog2000 · ‎08-08-2019

I'm very new to Splunk and this seems pretty easy in Kibana but in Splunk I'm really having a hard time finding anyone that has done this yet. Initially I'd like to pull x-forwarded-for (XFF) data from my IIS logs. I was hoping I could somehow use the query below or something similar to pull the XFF IP's for the geo-location, and create one heat map for values showing how many connections are coming from that geo-location, and possible create another heat map that could use XFF IP's and the time_taken fields to show me where users with slow connections are popping.

Here's an example of a query to get me started which I can graph, but clearly just changing the graph type to "Cluster Map" or "Choropleth Map"

index=web host=J00Podyp* status=200 | stats values(time_taken) as time_taken by x_forwarded_for UserID | where time_taken > 2000

I've read through a lot of other suggestions but none seem to be using it the way I've discussed, and all have been way over my head so if anyone has any suggestion, please type slowly and provide steps as if you're explaining it to someone at the bar, as this may be where my problem brings me.

One last thing I guess, we do have ITSI and that's definitely an option but I'd rather use what's easiest assuming this is even possible. Thanks in advance for any thoughts or ideas...

mariog2000 · ‎08-22-2019

Not sure if anyone has interest in this but if anyone is trying to setup something similar I've got a working model for some of this I can share. I'm still working through the details but can share what I've got so far if it can help anyone else. Thanks.

Help/Suggestions on creating a heat map/cholopleth map using XFF (x-forwarded-for) data from IIS logs

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience