How do I display results on map in 6.2

sotherlss · ‎01-21-2016

I am brand spanking new to Splunk and trying to learn the product so be patient....

I have been looking through the forums and Google and tried a lot of examples, but no go so far. I am sure it is something simple, but need guidance.

I am trying to get the results from this search to display on a map in Splunk. The goal is to show activity on a map.

src_geo=* | iplocation src_geo | geostats count by src_ip | sort -count

The search shows 442k for a 24 hour period in Events, but under Visualization/Map it shows No Results

What am I missing?

sotherlss · ‎01-22-2016

I appreciate your answer but have some follow up questions. First, when I took your example I got no results.

What does "sourcetype=access_combined" refer to? When I tried to break the search into chunks (at the pipe) I still got no results.

ncrofts_splunk · ‎01-21-2016

Have you tried using the details at this URL? It documents the Geostats command and iplocation commands which you are trying to use.

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Geostats
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Iplocation

Here is an example of a command doing what I believe you are trying to achieve.

sourcetype=access_combined clientip=* status!=200
| dedup clientip, host
| iplocation prefix=cip_ clientip
| geostats latfield=cip_lat longfield=cip_lon count by status

How do I display results on map in 6.2

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!