Solved: Re: Can't filter by Country even though there is c...

bayman · ‎05-14-2017

When I run the following search, I get a list of countries and their count.

eventtype=cisco-firewall src_ip="*" dest_port="445" | iplocation src_ip | stats count by Country

But when I click on one of the countries and click "View Events" it runs the new search below but returns "No results found" even though I know the Country has events from the first search based on the count. What am I doing wrong?

eventtype=cisco-firewall src_ip="*" dest_port="445"  Country=Canada| iplocation src_ip

bayman · ‎05-14-2017

eventtype=cisco-firewall src_ip="*" dest_port="445" | iplocation src_ip | search Country=Canada

View solution in original post

bayman · ‎05-14-2017

eventtype=cisco-firewall src_ip="*" dest_port="445" | iplocation src_ip | search Country=Canada

MuS · ‎05-14-2017

Isn't the field Country only available after the iplocation command?

bayman · ‎05-14-2017

I think there is a bug in the Cisco Firewall app for "View Events"

Changing the search to this works as you suggested:

eventtype=cisco-firewall src_ip="*" dest_port="445" | iplocation src_ip | search Country=Canada

Can't filter by Country even though there is count

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?