How to create a report that shows the number of ev...

jaybolser · ‎10-17-2014

I want to see on a daily basis, where traffic is coming from, something like below.

SourceIP Event Count City State Country
1.1.1.1. 24 Minneapolis MN USA
2.2.2.2 20 Anqing Anhui China

Dallastek · ‎12-27-2016

sourcetype=your source | iplocation SourceIP | stats count by SourceIP, City, Region, Country

martin_mueller · ‎12-27-2016

You should use the order from my answer, gives you the same result with way fewer invocations of iplocation.

martin_mueller · ‎10-17-2014

Something like this?

your base search | stats count as "Event Count" by SourceIP | iplocation SourceIP

martin_mueller · ‎10-21-2014

There is no field State, it's called Region.

That shouldn't stop it all from working though... check if you have the lat and lon fields after calling the iplocation command for your ip field.

jaybolser · ‎10-21-2014

I'm aware of the private address ranges and I'm excluding them from what I'm trying to do. It appears that I can't insert '|Table City, State, Country' with this sort of report.

martin_mueller · ‎10-21-2014

Not all IP addresses have known location approximations, especially private ones. Make sure you're not suffering from that.

jaybolser · ‎10-21-2014

I tried that and I don't get any IPLocation data to add to the report.

How to create a report that shows the number of events coming from a source IP address and include the iplocation data elements, City, State, Country?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform