Dashboards & Visualizations

How to create a map visualization from geom statistics?

summitsplunk
Communicator

I've constructed a query to show "users who logged in from outside the US" below:

| iplocation ipaddr | where Country != "United States" | geom geo_countries | search Country=* | stats count by actor_user_name,Country

This query is working and the statistics show :
actor_user_name, Country, Count?

Is it possible to make this data show up correctly on like a Cluster Map? Currently when I click on "Visualization" it shows a map but has nothing plotted.

Tags (1)
0 Karma
1 Solution

niketn
Legend

@summitsplunk iplocation should give you country detail as well, there is no need for geom (you need cluster map and not choropleth map)
From performance perspective you should do stats first followed by iplocation and then finally geostats if you want to plot data on Cluster Map. Try the following search and confirm:

<yourBaseSearch> ipaddr=* actor_user_name=*
| stats count by ipaddr actor_user_name
| iplocation clientip
| search Country!="United States"
| geostats sum(count) as count by user
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@summitsplunk iplocation should give you country detail as well, there is no need for geom (you need cluster map and not choropleth map)
From performance perspective you should do stats first followed by iplocation and then finally geostats if you want to plot data on Cluster Map. Try the following search and confirm:

<yourBaseSearch> ipaddr=* actor_user_name=*
| stats count by ipaddr actor_user_name
| iplocation clientip
| search Country!="United States"
| geostats sum(count) as count by user
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@summitsplunk if this answer has helped please accept to mark this question as answered. If you need further details please let us know.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...