Cloud Provisioning Activity from Unusual Country -...

jaibalaraman · ‎10-21-2020

Hi

Can anyone help me why the below search is not working.

index=aws sourcetype=aws:cloudtrail eventName=Create* OR eventName=Run* OR eventName=Attach* 
|stats count by src eventName 
| iplocation src

Thanks

kennetkline · ‎10-21-2020

Search is working for me; against my AWS dataset

By not working (no results) or just no iplocation lookup??

Try iterative approach

1. Search ensure results: (expand time window as necessary)

index=aws sourcetype=aws:cloudtrail ( eventName=Create* OR eventName=Run* OR eventName=Attach* )

2. added your stats count by src, eventName

I assume you are getting ip's and not hostname's in the src field (well a single IP).

3. If the src's is somehow a multivalue, (multipe ips) something your are going to need an mvexpand, split if comma separated or something. It hast to be getting a single ip per row.

4. | iplocation src

Hope this helps.

Cloud Provisioning Activity from Unusual Country - SPL search not working

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Cloud Provisioning Activity from Unusual Country - SPL search not working

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025