Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem with Cisco ASA search query (iplocation)

madstylex
New Member
‎03-16-2016 06:19 PM

Hi,

I have a search string that shows the top 20 security related events by country on my Cisco ASA.

eventtype=cisco-security-events | iplocation src_ip | stats count by Country | sort 20 - count

It works well and displays the countries and total number of events for whichever time range I've specified.

However, when I want to click an individual country (Australia) and view the events, Splunk returns "No Results Found". Even though there are 8000+ events for Australia

A manual search also shows no results found:

eventtype=cisco-security-events  Country=Australia | iplocation src_ip

Can someone please explain why this is happening and kindly offer a solution?

Thanks Ninjas!

0 Karma
Reply

maciep
Champion
‎03-16-2016 07:17 PM

The problem is likely that the Country field doesn't exist until the iplocation command creates it. So for your manual, search, does something like this work?

eventtype=cisco-security-events | iplocation src_ip | where Country="Australia"
0 Karma
Reply

madstylex
New Member
‎03-16-2016 07:28 PM

That manual search does indeed work. Any idea on how to view the events by clicking through the results of my top 20 search?

0 Karma
Reply

maciep
Champion
‎03-17-2016 06:04 AM

Splunk tries to figure out how to drill down on its own, but doesn't always do a good job. If this is in a dashboard, Splunk allows you to configure how that works. I included some links below.

But I wonder if you change your base search to something like this, whether Splunk will add the country condition to a later spot in the search when drilling down for you?

 eventtype=cisco-security-events | iplocation src_ip | search Country=* | stats count by Country | sort 20 - count

http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Understandbasictableandchartdrilldownactions

http://docs.splunk.com/Documentation/Splunk/latest/Viz/Dynamicdrilldownindashboardsandforms

0 Karma
Reply

ndoshi
Splunk Employee
Splunk Employee
‎04-17-2017 08:17 PM

I just tested your idea of eventtype=cisco-security-events | iplocation src_ip | search Country=* | stats count by Country | sort 20 - count and that seems to work for a drilldown with iplocation without having to do anything more.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...