Source IP not plotting on cluster map

dcraven02 · ‎10-27-2017

I'm trying to plot source IP Addresses (src_ip) from web events on a cluster map but it does not seem to work.

It only works for me when I use the destination IP Address (dest_ip)

index=barracuda user=test | iplocation dest_ip | geostats count by Country

When I change dest_ip to source_ip it doesnt return anything.

index=barracuda user=test | iplocation src_ip | geostats count by Country

DalJeanis · ‎10-27-2017

First, try this and see if you get anything

index=barracuda user=test | head 100 | stats by src_ip

If not, check the spelling and capitalization of your source IP field.

If so, try this...

index=barracuda user=test | head 1000| iplocation src_ip | geostats count by Country

If that works, it means you are running out of time and/or memory.

If that does not work, then your source ips may not be being resolved...

index=barracuda user=test | head 1000| iplocation src_ip | eval Country=coalesce(Country,"IDunno") | stats count by Country

See where that leads.

mohanrajm · ‎07-18-2020

Thank you for very simple step by step to troubleshoot this issue. It helped me 🙂

Are you a member of the Splunk Community?