Splunk Search
Highlighted

How do I display results on map in 6.2

New Member

I am brand spanking new to Splunk and trying to learn the product so be patient....

I have been looking through the forums and Google and tried a lot of examples, but no go so far. I am sure it is something simple, but need guidance.

I am trying to get the results from this search to display on a map in Splunk. The goal is to show activity on a map.

src_geo=* | iplocation src_geo | geostats count by src_ip | sort -count

The search shows 442k for a 24 hour period in Events, but under Visualization/Map it shows No Results

What am I missing?

0 Karma
Highlighted

Re: How do I display results on map in 6.2

Splunk Employee
Splunk Employee

Have you tried using the details at this URL? It documents the Geostats command and iplocation commands which you are trying to use.

http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Geostats
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Iplocation

Here is an example of a command doing what I believe you are trying to achieve.

sourcetype=accesscombined clientip=* status!=200
| dedup clientip, host
| iplocation prefix=cip
clientip
| geostats latfield=ciplat longfield=ciplon count by status

0 Karma
Highlighted

Re: How do I display results on map in 6.2

New Member

I appreciate your answer but have some follow up questions. First, when I took your example I got no results.

What does "sourcetype=access_combined" refer to? When I tried to break the search into chunks (at the pipe) I still got no results.

0 Karma