Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Source IP not plotting on cluster map

dcraven02
New Member
โ€Ž10-27-2017 02:11 PM

I'm trying to plot source IP Addresses (src_ip) from web events on a cluster map but it does not seem to work.

It only works for me when I use the destination IP Address (dest_ip)

index=barracuda user=test | iplocation dest_ip | geostats count by Country

When I change dest_ip to source_ip it doesnt return anything.

index=barracuda user=test | iplocation src_ip | geostats count by Country

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
โ€Ž10-27-2017 03:44 PM

First, try this and see if you get anything

index=barracuda user=test | head 100 | stats by src_ip

If not, check the spelling and capitalization of your source IP field.

If so, try this...

index=barracuda user=test | head 1000| iplocation src_ip | geostats count by Country

If that works, it means you are running out of time and/or memory.

If that does not work, then your source ips may not be being resolved...

index=barracuda user=test | head 1000| iplocation src_ip | eval Country=coalesce(Country,"IDunno") | stats count by Country

See where that leads.

Reply

mohanrajm
Explorer
โ€Ž07-18-2020 12:57 PM

Thank you for very simple step by step to troubleshoot this issue. It helped me ๐Ÿ™‚

Reply