I want to see on a daily basis, where traffic is coming from, something like below.
SourceIP Event Count City State Country 1.1.1.1. 24 Minneapolis MN USA 2.2.2.2 20 Anqing Anhui China
sourcetype=your source | iplocation SourceIP | stats count by SourceIP, City, Region, Country
You should use the order from my answer, gives you the same result with way fewer invocations of iplocation.
iplocation
Something like this?
your base search | stats count as "Event Count" by SourceIP | iplocation SourceIP
There is no field State, it's called Region.
That shouldn't stop it all from working though... check if you have the lat and lon fields after calling the iplocation command for your ip field.
I'm aware of the private address ranges and I'm excluding them from what I'm trying to do. It appears that I can't insert '|Table City, State, Country' with this sort of report.
Not all IP addresses have known location approximations, especially private ones. Make sure you're not suffering from that.
I tried that and I don't get any IPLocation data to add to the report.
