Hi all,
I'm trying to generate counts/hits based on client ip and create a map visualization similar to the one found on the site for 6.3 Geographic data visualizations. Can someone help and give a simple example?
Something like this should work for the SPL:
assuming that the IP address you're interested in is "client_ip"
...generating search...
| iplocation client_ip
| stats count by Country
| geom geo_countries featureIdField=Country
you can then set the visualization type to Choropleth
and post your dispatch log (inspect job)
I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like:
[geo_countries]
external_type=geo
filename=XXX
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root).
The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow.
Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL):
|stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat
@ghendrey and @arobbins THANK YOU very much for your time on this item.
Try this app. It contains a myriad of dashboard examples, including one that sounds like what you are trying to achieve (Under "Basic Elements" - "Maps")
i tried the app but i couldn't get it to work with iplocation which was why i asked the question in this forum.
again, I recommend making sure that Country is not blank in any of the geoip outputs