I realize this is a silly question but it just so happens we have so many firewalls in exist stance that traffic that is legitimate has been blocked and traffic that is not has been occasionally allowed though. I know the source index to pull the data from but I would think it would involve an iplookup on each entry (maybe using dedup to remove the consistent duplicates that I would think would exist) and somehow use geostats to map the iplookup on a visual map. How would one go about something this grand for 500,000 firewalls or more and can anyone suggest a lookup table I could use for geostats?
If you do, you certainly deserve a massive cookie and candy bar I'll even comment your name in the file if I can. Any or all thoughts are welcome because this one boggles my mind. I would also think I would need to accelerate this search for it to be useful but I'll leave the comments to more experienced Splunk ninjas.
The search below is native to Splunk, and I used the eventgen sample data so the field names may be a bit different but this might help you get started. Basically once I have the search criteria I am interested in, I call iplocation against the IP of the network device. If I stop there I will get a tabular output with city and country output for those devices. I can then take the geostats command and map the lat long from the iplocation results to the latField and longField and then do a count or count by Action or count by ComputerIPAddress to get the various bubbles to size out based on volume of events.
sourcetype=sophos:firewall ComputerIPAddress!="" |iplocation ComputerIPAddress |geostats latField=lat longField=lon count by Action