Dashboards & Visualizations

Trouble with Choropleth US Map

stakor
Path Finder

I am trying to generate a Cloropleth map of IPs in the US. I have already created on for countries of the world. For that I have successfully used:

<Base_Search>
| iplocation src_ip
| stats count by Country
| where Country!="United States" 
| geom geo_countries featureIdField=Country

Great.

I want to create a new map of JUST the United States, and show IPs by state. I am having some trouble there. When I run:

 |inputlookup geo_attr_us_states

I see that I have data. Ok.
When I run:

| iplocation src_ip
| where Country="United States"
| table clientip, status, City, State, Country

I see that I have a table that shows the cities and countries, but not the states for the IP addresses. I figure this might be an issue. Back when I ran the inputlookup, I see that the data I get back are state_code, state_fips, state_name. I try to run:

| iplocation src_ip
| where Country="United States"
| geom geo_countries featureIdField=state_name

And state_name is blank for all events.

The fact that Splunk knows the city name of the IP, would suggest that it should know the state as well...

I see on https://answers.splunk.com/answers/334780/can-someone-provide-an-example-for-geom-counts-bas-1.html That there is a comment that suggests that:

| iplocation src_ip
| where Country="United States"
| stats count by src_ip 
| geom geo_us_states featureIdField=src_ip

Might work. And it looks like it almost does. But, geom is blank on the statistics tab.

Anyone know what I might be doing wrong?

0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

Hi again, @stakor,
I think there are a couple things going on here.

I'd start by seeing what the generated src_ip field looks like. You could run this much of your query:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip

To see what the statistics table includes in the src_ip column. I suspect there is a mismatch between definitions in geo_us_states and the src_ip information that is preventing aggregated values being mapped on the US map.

Try extracting the IP field and using the geostats command to generate lat and longitude coordinates for the IP locations so that they can be mapped. We have a scenario that shows you how to extract an IP location field, derive latitude and longitude info from it, and use this info with mapping commands as part of creating a dashboard. In particular, these two parts are relevant to your situation:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Extractfields

https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Adddrilldownpanels#Part_5:_Create_a_dri...

There is also this Choropleth generation topic in our Dashboards and Visualizations manual:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/ChoroplethGenerate

Based on these two docs resources, I put together this sample search with test data:

sourcetype=secure |dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon | lookup geo_us_states longitude as longitude, latitude as latitude | stats count by featureId| geom geo_us_states

This generates the featureIds that are necessary for the geom command to render the map. You should be able to adapt this for your use case and generate the Choropleth map.

Hope this helps!

View solution in original post

frobinson_splun
Splunk Employee
Splunk Employee

Hi again, @stakor,
I think there are a couple things going on here.

I'd start by seeing what the generated src_ip field looks like. You could run this much of your query:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip

To see what the statistics table includes in the src_ip column. I suspect there is a mismatch between definitions in geo_us_states and the src_ip information that is preventing aggregated values being mapped on the US map.

Try extracting the IP field and using the geostats command to generate lat and longitude coordinates for the IP locations so that they can be mapped. We have a scenario that shows you how to extract an IP location field, derive latitude and longitude info from it, and use this info with mapping commands as part of creating a dashboard. In particular, these two parts are relevant to your situation:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Extractfields

https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Adddrilldownpanels#Part_5:_Create_a_dri...

There is also this Choropleth generation topic in our Dashboards and Visualizations manual:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/ChoroplethGenerate

Based on these two docs resources, I put together this sample search with test data:

sourcetype=secure |dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon | lookup geo_us_states longitude as longitude, latitude as latitude | stats count by featureId| geom geo_us_states

This generates the featureIds that are necessary for the geom command to render the map. You should be able to adapt this for your use case and generate the Choropleth map.

Hope this helps!

stakor
Path Finder

When I run:

| iplocation src_ip
| where Country="United States"
| stats count by src_ip

I get a table of:
src_ip count

There are a number of src_ip's and there appears to be an accurate count. But those are the two fields that result.

stakor
Path Finder

| iplocation src_ip
| where Country="United States"
| stats count by src_ip
| geom geo_us_states featureIdField="State"

Produces a world map, and the legend shows a number of IP addresses.

0 Karma

stakor
Path Finder

| iplocation src_ip
| lookup geo_us_states longitude as Longitude, latitude as Latitude
| stats count by src_ip
| geom geo_us_states

Also produces a world map with a legend of IP addresses.

frobinson_splun
Splunk Employee
Splunk Employee

Thanks for the additional details. I updated my post as I worked through a couple of things to reproduce a choropleth map of ip addresses (see my answer).

When you generate the Choropleth map, it will always show a world map in the "Visualizations" tab. You have to scroll and zoom over to the U.S. to show the shaded states. Can you try scrolling and zooming to see if the US Choropleth map generated as expected? I think the required lats and lons might be missing for the shape rendering to work properly. See my answer above for some more suggestions on adjusting the search.

0 Karma

stakor
Path Finder

That did it. I just changed clientip to src_ip, and it worked like a charm.

Thank you very much.

frobinson_splun
Splunk Employee
Splunk Employee

Excellent! So glad to hear that that helped.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @stakor,
I work on Choropleth map documentation. Taking a look at your notes here and will try to suggest something. Please stay tuned!

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...