Splunk Search
Highlighted

Can someone provide an example for Geom counts based on client IP?

Communicator

Hi all,

I'm trying to generate counts/hits based on client ip and create a map visualization similar to the one found on the site for 6.3 Geographic data visualizations. Can someone help and give a simple example?

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Splunk Employee
Splunk Employee

Try this app. It contains a myriad of dashboard examples, including one that sounds like what you are trying to achieve (Under "Basic Elements" - "Maps")

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Communicator

i tried the app but i couldn't get it to work with iplocation which was why i asked the question in this forum.

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Splunk Employee
Splunk Employee

again, I recommend making sure that Country is not blank in any of the geoip outputs

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Splunk Employee
Splunk Employee

Something like this should work for the SPL:

assuming that the IP address you're interested in is "client_ip"

...generating search...
| iplocation clientip
| stats count by Country
| geom geo
countries featureIdField=Country

you can then set the visualization type to Choropleth

View solution in original post

Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Communicator

im getting the following error: "Error in 'SearchOperator:Geom': could not resolve"

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Splunk Employee
Splunk Employee

Could you post your entire search?

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Splunk Employee
Splunk Employee

and post your dispatch log (inspect job)

0 Karma
Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Splunk Employee
Splunk Employee

I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geocountries". Please locate your transforms.conf file that contains a stanza named [geocountries]. In this stanza you should see something like:
[geocountries]
external
type=geo
filename=XXX
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root).

The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow.

Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL):
|stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat

Highlighted

Re: Can someone provide an example for Geom counts based on client IP?

Communicator

@ghendrey and @arobbins THANK YOU very much for your time on this item.

0 Karma