Solved: Creating visualization of list of ip address

andrewhlui · ‎09-11-2017

I have data that has multiple (and variable) ip addresses associated with each event.

For example:
ABCD September 11, 2017 123.123.123.3 234.234.234.234.3
SDFG September 11, 2017 234.234.234.1 23.235.243.3 345.6.74.12

I am trying to create a map of IPs with geostats.

I tried doing index = abc | values(ip_addresses) | iplocation ip_addresses | geostats count by Country but that didn't seem to work - I think iplocation doesn't work with lists.

Any recommendations?

niketn · ‎09-11-2017

Use mvexpand to convert from multivalue to single value. Try the following:

index = abc 
| stats values(ip_addresses) as ip_addresses 
| mvexpand ip_addresses 
| iplocation ip_addresses 
| geostats count by Country

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎09-11-2017

Use mvexpand to convert from multivalue to single value. Try the following:

index = abc 
| stats values(ip_addresses) as ip_addresses 
| mvexpand ip_addresses 
| iplocation ip_addresses 
| geostats count by Country

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Creating visualization of list of ip address

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Creating visualization of list of ip address

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability