Splunk Search

Displaying on the map using longitude and latitude ?

Hi All,
I am very new to Splunk. My task is to display the location on the map using IP address.
I am able to succeed getting the Longitude and latitude. What I need next is to display it on the map or I can say point it to the map.

Please suggest how can I do this. Below is the search string I am using where I am getting the geobin, longitude and latitude

index="cc_web" sourcetype=* sourcetype= * | rex field=_raw "(?i)^(?P[^ ]+) "| search IP_address="*" | top limit=33 IP_address | iplocation IP_address| geostats first(item_number) as Item
0 Karma

Do I need to buy any third party extension to get the maps enabled as I tried the other widgets ..all are showing some data ..only map doesn't show any location ?

0 Karma

Splunk Employee
Splunk Employee

No you don't need to buy any third party extensions to get the maps enabled. It's your search string using the first function I think, that is disabling the data from being seen.

0 Karma

Thanks for your quick response .....but I tried that but I am not able to see the view points on the map ...it just stays blank on the map but below the map it shows the stats table with same values geobin longitude and latitude.

0 Karma

When I do count by city ..No result found
index="ccweb" sourcetype=* sourcetype= * | rex field=raw "(?i)^(?P[^ ]+) "| search IPaddress="*" | top limit=33 IPaddress | iplocation IP_address | geostats count by city

When I do by Item I get the stats but nothing in Map
index="ccweb" sourcetype=* sourcetype= * | rex field=raw "(?i)^(?P[^ ]+) "| search IPaddress="*" | top limit=33 IPaddress | iplocation IPaddress | geostats first(itemnumber) as Item

0 Karma

If you see the search string I am pulling Ip addresses ...so If 10 IP's are coming from one location ...I wanna see that location with some display ...lets say 10% abc city.

0 Karma

Splunk Employee
Splunk Employee

I edited my answer.

0 Karma

first of all I do not have permissions to comment to someone's comments.

When I do | geostats count by Country I get the PIE CHART on my map....but I am looking for city.

0 Karma

Splunk Employee
Splunk Employee

Ah I see. So what should your output look like? A single dot per city, where do you want the item information?

Check out the map object options in XML.

0 Karma

sure I will do from now I was not allowed to comment on that earlier when I tried.

0 Karma

Splunk Employee
Splunk Employee

Try commenting on my answer (rather than answering again) to keep the flow of the conversation going (and keep answer conversations together

0 Karma

Splunk Employee
Splunk Employee

According to the comment:

If you see the search string I am pulling Ip addresses ...so If 10 IP's are coming from one location ...I wanna see that location with some display ...lets say 10% abc city.

The search:

index="cc_web" sourcetype=* sourcetype= * 
| rex field=_raw "(?i)^(?P[^ ]+) "
| search IP_address="*" 
| top limit=33 IP_address 
| iplocation IP_address
| geostats first(item_number) as Item

So it sounds like you want to change

| geostats first(item_number) as Item

to something like

| geostats count by City
0 Karma