Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

iplocation/geostats to show events from statistics tab.

prithvi08
Engager
‎01-16-2018 01:59 PM

Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following query.

index=firewalls | iplocation allfields=true src_ip | stats count by Country City

which works fine by giving me a table like:

Country | City | count
Albania | Durres | 5
Argentina | Abel | 7
.
.
.

when i click any of the city or country to view the events related to that specific region, the search extends like
index=firewalls Country=Albania | iplocation allfields=true src_ip |

which return zero results because the filed Country comes before iplocation command. i know i can search it manually by entering it at the end of the search query like.
index=firewalls | iplocation allfields=true src_ip |search Country=Albania

but im running the query on a dsashboard which returns the count for each country ,city and i want to view the event directly by clicking the respective country from the dashboard. How can i do that ? Pls advice

Tags (2)
0 Karma
Reply

mayurr98
Super Champion
‎01-17-2018 12:28 AM

hey try this XML just plug and play

<form>
  <label>my dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=firewalls | iplocation allfields=true src_ip | stats count by Country City</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=index=firewalls | iplocation allfields=true src_ip | search Country="$row.Country$"&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

let me know if this helps !

0 Karma
Reply

prithvi08
Engager
‎01-17-2018 12:52 PM

Hey..the page gets stuck loading. It doesn't seems be working.i can only see the title and its frozen at loading .

0 Karma
Reply

DalJeanis
Legend
‎01-16-2018 05:05 PM

In a dashboard, you could use the above search as a base search and then do postprocessing to select the country from a dropdown.

0 Karma
Reply

prithvi08
Engager
‎01-16-2018 07:48 PM

The above search woudnt result in a table and do mean to say selecting country from dropdown list ? how do i do that ? would it eventually let me see the events related to it ?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top