Splunk Search

Geostats Cluster Map Help

ChocolateRocket
Explorer

Any reason why this can't be visualized in a geo cluster map?

source="udp:514" index="syslog" NOT src_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 17.0.0.0/8) action=DROP src_ip!="162.159.192.9" | iplocation src_ip | geostats count by country

ChocolateRocket_0-1709916318464.png

ChocolateRocket_1-1709916366647.png

ChocolateRocket_2-1709917685622.png

 

 

 

Labels (1)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

The field is "Country" not "country".

Try

...
| iplocation src_ip 
| geostats count by Country

 

Happy Splunking!

-Rich

View solution in original post

ChocolateRocket
Explorer

So, why is Lat/Long included as a data point? Even the tutorial I'm following has the same result, but surely there is a way to not show these since its sort of meaningless? (And don't call me Shirley!) 🙂

ChocolateRocket_0-1709995364551.png

 

0 Karma

marnall
Builder

@ChocolateRocket, the latitude and longitude fields are generated by the iplocation command and they are used to plot the data points on the map. You could remove them but then that would break the visualization.

Good luck, we're all counting on you.

0 Karma

ChocolateRocket
Explorer

If that is correct, then the planet earth and all humanity is in the wrong hands.

🙂

0 Karma

Richfez
SplunkTrust
SplunkTrust

The field is "Country" not "country".

Try

...
| iplocation src_ip 
| geostats count by Country

 

Happy Splunking!

-Rich

ChocolateRocket
Explorer

Good lord. that was too easy.

Appreciate the help.

I keep forgetting I'm in a 'Nix world now.

Thank goodness PowerShell doesn't mind capitalization rule breakage. 😄

0 Karma

marnall
Builder

The iplocation command generates the capitalized field "Country", not "country", so it should work if you capitalize Country:

| geostats count by Country

Richfez
SplunkTrust
SplunkTrust

Sweet, I was probably typing (got distracted) when you were posting.  Glad we had the same answer.  🙂

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...