Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Source IP not plotting on cluster map

dcraven02
New Member
‎10-27-2017 02:11 PM

I'm trying to plot source IP Addresses (src_ip) from web events on a cluster map but it does not seem to work.

It only works for me when I use the destination IP Address (dest_ip)

index=barracuda user=test | iplocation dest_ip | geostats count by Country

When I change dest_ip to source_ip it doesnt return anything.

index=barracuda user=test | iplocation src_ip | geostats count by Country

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎10-27-2017 03:44 PM

First, try this and see if you get anything

index=barracuda user=test | head 100 | stats by src_ip

If not, check the spelling and capitalization of your source IP field.

If so, try this...

index=barracuda user=test | head 1000| iplocation src_ip | geostats count by Country

If that works, it means you are running out of time and/or memory.

If that does not work, then your source ips may not be being resolved...

index=barracuda user=test | head 1000| iplocation src_ip | eval Country=coalesce(Country,"IDunno") | stats count by Country

See where that leads.

Reply

mohanrajm
Explorer
‎07-18-2020 12:57 PM

Thank you for very simple step by step to troubleshoot this issue. It helped me 🙂

Reply
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...