Hi @woodcock , Hi @to4kawa

thanks for your hints. @woodcock I really appreciate your detailed answer.

I found what helped me to solve my issue within "Splunk Dashboard Examples"

It was one word that seemed to be required to solve my problem: OUTPUT

Without OUTPUT at the end of my search the "featureId" field was not being generated...

Therefore I couln't further "filter" my map down to the states.

index=cisco_vpn sourcetype=cisco:ios
mnemonic=EZVPN_CONNECTION_* |
iplocation Client_public_addr
Server_public_addr allfields=true |
lookup geo_de_bundeslaender latitude
as lat longitude as lon OUTPUT
featureId | stats count by featureId |
geom geo_de_bundeslaender

This is what my search command looks like now.
I realised that the mapping for my lookup is crucial to. If you don't specify the "as" as the output of your geoinformation command (iplocation in my case) it won't work...

When I was searching through Splunk I found following csv file, which I replicated for my usage:

@to4kawa what I have done is not official. I found the kml file on following page:
https://community.qlik.com/t5/Qlik-Sense-Documents-Videos/KML-files-for-Germany-Austria-Switzerland-...

I then extracted only the XML tags with the position information and replaced that in a copy from "geo_us_states".

Only thing that I could not replicate yet is displaying the state codes on the map. If you happen to find how that's done I would appreciate any additional hints.

I checked Choropleth Map before
https://answers.splunk.com/answers/795337/statistics-to-choropleth-map-1.html

you should make featureId state

geo_germany is official? I want it.
good luck

First, read the best treatment of Splunk and mapping anywhere:
https://www.splunk.com/en_us/blog/tips-and-tricks/use-custom-polygons-in-your-choropleth-maps.html

The | inputlookup my_lookup is just to see if you can access the featureId and geom fields inside of you KML or KMZ file. If it is built in such a way that Splunk can use it, you should see many lines returned on the Statistics tab. It sounds like you got this far. If you did not, consider using the Shapester - Geo Shape Editor app on Splunkbase (https://splunkbase.splunk.com/app/2893/) to build some shapes into a KML file that definitely should be Splunk-geo-compatible. If you then click on the Visualization tab, you should be able to see the results on a map but you must do ALL of the following:

1: Select the `Choropleth Map` visualization.
2: Keep `zooming` and `centering` your view until it is positioned over the location of the shapes in your file.
3: If your shapes are small, you will find that the default maps do not allow enough `zoom` to see them; to fix this....
4: Click on the `Format` tool (the `paint brush` icon) and go to the `Tiles` section.
5: Look at the comment that says `The URL to use for requesting tiles, ex: http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png` and grab the `http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png` text and paste it into the `URL` field.  Instantly you should have infinite `zoom` detail.  Really, this is probably the `secret magic` that you lacked.  This is not clearly documented anywhere and we only discovered it by accident playing around.

It really helps to take a look at the Choropleth Map Color Modes example with San Francisco Neighborhoods in the Map Elements area of the Splunk Dashboard Examples app on Splunkbase (https://splunkbase.splunk.com/app/1603/). It shows you how to do everything EXCEPT for the magical #5 step. Although the recommended tile set is really good, there are many, MANY, options out there so be sure to try a variety. Here are some alternative tile sets that render instantly in Splunk:

https://wiki.openstreetmap.org/wiki/Tile_servers
OpenStreetMaps: http://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
Wikipedia: https://maps.wikimedia.org/osm-intl/{z}/{x}/{y}.png
OpenCycleMap: http://tile.thunderforest.com/cycle/{z}/{x}/{y}.png
Humanitarian Style: http://a.tile.openstreetmap.fr/hot/{z}/{x}/{y}.png
Hike and Bike: https://tiles.wmflabs.org/hikebike/{z}/{x}/{y}.png