Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can someone provide an example for Geom counts based on client IP?

spammenot66
Contributor
‎12-17-2015 12:37 PM

Hi all,

I'm trying to generate counts/hits based on client ip and create a map visualization similar to the one found on the site for 6.3 Geographic data visualizations. Can someone help and give a simple example?

Reply
1 Solution
Solved! Jump to solution
Solution

arobbins_splunk
Splunk Employee
Splunk Employee
‎01-04-2016 04:10 PM

Something like this should work for the SPL:

assuming that the IP address you're interested in is "client_ip"

...generating search...
| iplocation client_ip
| stats count by Country
| geom geo_countries featureIdField=Country

you can then set the visualization type to Choropleth

View solution in original post

Reply
Solved! Jump to solution

ghendrey_splunk
Splunk Employee
Splunk Employee
‎01-15-2016 12:33 PM

and post your dispatch log (inspect job)

0 Karma
Reply
Solved! Jump to solution

ghendrey_splunk
Splunk Employee
Splunk Employee
‎01-15-2016 12:49 PM

I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like:
[geo_countries]
external_type=geo
filename=XXX
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root).

The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow.

Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL):
|stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat

Reply
Solved! Jump to solution

spammenot66
Contributor
‎03-02-2016 11:43 AM

@ghendrey and @arobbins THANK YOU very much for your time on this item.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎12-17-2015 01:01 PM

Try this app. It contains a myriad of dashboard examples, including one that sounds like what you are trying to achieve (Under "Basic Elements" - "Maps")

0 Karma
Reply
Solved! Jump to solution

spammenot66
Contributor
‎12-19-2015 07:41 PM

i tried the app but i couldn't get it to work with iplocation which was why i asked the question in this forum.

0 Karma
Reply
Solved! Jump to solution

ghendrey_splunk
Splunk Employee
Splunk Employee
‎01-21-2016 02:39 PM

again, I recommend making sure that Country is not blank in any of the geoip outputs

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...