- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Trouble with Choropleth US Map
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to generate a Cloropleth map of IPs in the US. I have already created on for countries of the world. For that I have successfully used:
<Base_Search>
| iplocation src_ip
| stats count by Country
| where Country!="United States"
| geom geo_countries featureIdField=Country
Great.
I want to create a new map of JUST the United States, and show IPs by state. I am having some trouble there. When I run:
|inputlookup geo_attr_us_states
I see that I have data. Ok.
When I run:
| iplocation src_ip
| where Country="United States"
| table clientip, status, City, State, Country
I see that I have a table that shows the cities and countries, but not the states for the IP addresses. I figure this might be an issue. Back when I ran the inputlookup, I see that the data I get back are state_code, state_fips, state_name. I try to run:
| iplocation src_ip
| where Country="United States"
| geom geo_countries featureIdField=state_name
And state_name is blank for all events.
The fact that Splunk knows the city name of the IP, would suggest that it should know the state as well...
I see on https://answers.splunk.com/answers/334780/can-someone-provide-an-example-for-geom-counts-bas-1.html That there is a comment that suggests that:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
| geom geo_us_states featureIdField=src_ip
Might work. And it looks like it almost does. But, geom is blank on the statistics tab.
Anyone know what I might be doing wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again, @stakor,
I think there are a couple things going on here.
I'd start by seeing what the generated src_ip field looks like. You could run this much of your query:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
To see what the statistics table includes in the src_ip column. I suspect there is a mismatch between definitions in geo_us_states and the src_ip information that is preventing aggregated values being mapped on the US map.
Try extracting the IP field and using the geostats command to generate lat and longitude coordinates for the IP locations so that they can be mapped. We have a scenario that shows you how to extract an IP location field, derive latitude and longitude info from it, and use this info with mapping commands as part of creating a dashboard. In particular, these two parts are relevant to your situation:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Extractfields
There is also this Choropleth generation topic in our Dashboards and Visualizations manual:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/ChoroplethGenerate
Based on these two docs resources, I put together this sample search with test data:
sourcetype=secure |dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon | lookup geo_us_states longitude as longitude, latitude as latitude | stats count by featureId| geom geo_us_states
This generates the featureIds that are necessary for the geom command to render the map. You should be able to adapt this for your use case and generate the Choropleth map.
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again, @stakor,
I think there are a couple things going on here.
I'd start by seeing what the generated src_ip field looks like. You could run this much of your query:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
To see what the statistics table includes in the src_ip column. I suspect there is a mismatch between definitions in geo_us_states and the src_ip information that is preventing aggregated values being mapped on the US map.
Try extracting the IP field and using the geostats command to generate lat and longitude coordinates for the IP locations so that they can be mapped. We have a scenario that shows you how to extract an IP location field, derive latitude and longitude info from it, and use this info with mapping commands as part of creating a dashboard. In particular, these two parts are relevant to your situation:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Extractfields
There is also this Choropleth generation topic in our Dashboards and Visualizations manual:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/ChoroplethGenerate
Based on these two docs resources, I put together this sample search with test data:
sourcetype=secure |dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon | lookup geo_us_states longitude as longitude, latitude as latitude | stats count by featureId| geom geo_us_states
This generates the featureIds that are necessary for the geom command to render the map. You should be able to adapt this for your use case and generate the Choropleth map.
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I run:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
I get a table of:
src_ip count
There are a number of src_ip's and there appears to be an accurate count. But those are the two fields that result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
| geom geo_us_states featureIdField="State"
Produces a world map, and the legend shows a number of IP addresses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| iplocation src_ip
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| stats count by src_ip
| geom geo_us_states
Also produces a world map with a legend of IP addresses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the additional details. I updated my post as I worked through a couple of things to reproduce a choropleth map of ip addresses (see my answer).
When you generate the Choropleth map, it will always show a world map in the "Visualizations" tab. You have to scroll and zoom over to the U.S. to show the shaded states. Can you try scrolling and zooming to see if the US Choropleth map generated as expected? I think the required lats and lons might be missing for the shape rendering to work properly. See my answer above for some more suggestions on adjusting the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it. I just changed clientip to src_ip, and it worked like a charm.
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent! So glad to hear that that helped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @stakor,
I work on Choropleth map documentation. Taking a look at your notes here and will try to suggest something. Please stay tuned!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
Enterprise Security Content Update (ESCU) | New Releases
