Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone provide an example for Geom counts based on client IP?

spammenot66
Contributor
‎12-17-2015 12:37 PM

Hi all,

I'm trying to generate counts/hits based on client ip and create a map visualization similar to the one found on the site for 6.3 Geographic data visualizations. Can someone help and give a simple example?

Reply
1 Solution
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎01-04-2016 04:10 PM

Something like this should work for the SPL:

assuming that the IP address you're interested in is "client_ip"

...generating search...
| iplocation client_ip
| stats count by Country
| geom geo_countries featureIdField=Country

you can then set the visualization type to Choropleth

View solution in original post

Reply
Solved! Jump to solution

ghendrey_splunk
Splunk Employee
Splunk Employee
‎01-15-2016 12:33 PM

and post your dispatch log (inspect job)

0 Karma
Reply
Solved! Jump to solution

ghendrey_splunk
Splunk Employee
Splunk Employee
‎01-15-2016 12:49 PM

I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like:
[geo_countries]
external_type=geo
filename=XXX
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root).

The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow.

Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL):
|stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat

Reply
Solved! Jump to solution

spammenot66
Contributor
‎03-02-2016 11:43 AM

@ghendrey and @arobbins THANK YOU very much for your time on this item.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎12-17-2015 01:01 PM

Try this app. It contains a myriad of dashboard examples, including one that sounds like what you are trying to achieve (Under "Basic Elements" - "Maps")

0 Karma
Reply
Solved! Jump to solution

spammenot66
Contributor
‎12-19-2015 07:41 PM

i tried the app but i couldn't get it to work with iplocation which was why i asked the question in this forum.

0 Karma
Reply
Solved! Jump to solution

ghendrey_splunk
Splunk Employee
Splunk Employee
‎01-21-2016 02:39 PM

again, I recommend making sure that Country is not blank in any of the geoip outputs

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...