- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Displaying on the map using longitude and latitude ?
Hi All,
I am very new to Splunk. My task is to display the location on the map using IP address.
I am able to succeed getting the Longitude and latitude. What I need next is to display it on the map or I can say point it to the map.
Please suggest how can I do this. Below is the search string I am using where I am getting the geobin, longitude and latitude
index="cc_web" sourcetype=* sourcetype= * | rex field=_raw "(?i)^(?P[^ ]+) "| search IP_address="*" | top limit=33 IP_address | iplocation IP_address| geostats first(item_number) as Item
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do I need to buy any third party extension to get the maps enabled as I tried the other widgets ..all are showing some data ..only map doesn't show any location ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


No you don't need to buy any third party extensions to get the maps enabled. It's your search string using the first function I think, that is disabling the data from being seen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your quick response .....but I tried that but I am not able to see the view points on the map ...it just stays blank on the map but below the map it shows the stats table with same values geobin longitude and latitude.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I do count by city ..No result found
index="cc_web" sourcetype=* sourcetype= * | rex field=_raw "(?i)^(?P[^ ]+) "| search IP_address="*" | top limit=33 IP_address | iplocation IP_address | geostats count by city
When I do by Item I get the stats but nothing in Map
index="cc_web" sourcetype=* sourcetype= * | rex field=_raw "(?i)^(?P[^ ]+) "| search IP_address="*" | top limit=33 IP_address | iplocation IP_address | geostats first(item_number) as Item
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you see the search string I am pulling Ip addresses ...so If 10 IP's are coming from one location ...I wanna see that location with some display ...lets say 10% abc city.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


I edited my answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
first of all I do not have permissions to comment to someone's comments.
When I do | geostats count by Country I get the PIE CHART on my map....but I am looking for city.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Ah I see. So what should your output look like? A single dot per city, where do you want the item information?
Check out the map object options in XML.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sure I will do from now I was not allowed to comment on that earlier when I tried.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Try commenting on my answer (rather than answering again) to keep the flow of the conversation going (and keep answer conversations together
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


According to the comment:
If you see the search string I am pulling Ip addresses ...so If 10 IP's are coming from one location ...I wanna see that location with some display ...lets say 10% abc city.
The search:
index="cc_web" sourcetype=* sourcetype= *
| rex field=_raw "(?i)^(?P[^ ]+) "
| search IP_address="*"
| top limit=33 IP_address
| iplocation IP_address
| geostats first(item_number) as Item
So it sounds like you want to change
| geostats first(item_number) as Item
to something like
| geostats count by City
