Splunk Search

iplocation/geostats to show events from statistics tab.

prithvi08
Engager

Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following query.

index=firewalls | iplocation allfields=true src_ip | stats count by Country City

which works fine by giving me a table like:

Country | City | count
Albania | Durres | 5
Argentina | Abel | 7
.
.
.

when i click any of the city or country to view the events related to that specific region, the search extends like
index=firewalls Country=Albania | iplocation allfields=true src_ip |

which return zero results because the filed Country comes before iplocation command. i know i can search it manually by entering it at the end of the search query like.
index=firewalls | iplocation allfields=true src_ip |search Country=Albania

but im running the query on a dsashboard which returns the count for each country ,city and i want to view the event directly by clicking the respective country from the dashboard. How can i do that ? Pls advice

Tags (2)
0 Karma

mayurr98
Super Champion

hey try this XML just plug and play

<form>
  <label>my dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=firewalls | iplocation allfields=true src_ip | stats count by Country City</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=index=firewalls | iplocation allfields=true src_ip | search Country="$row.Country$"&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

let me know if this helps !

0 Karma

prithvi08
Engager

Hey..the page gets stuck loading. It doesn't seems be working.i can only see the title and its frozen at loading .

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

In a dashboard, you could use the above search as a base search and then do postprocessing to select the country from a dropdown.

0 Karma

prithvi08
Engager

The above search woudnt result in a table and do mean to say selecting country from dropdown list ? how do i do that ? would it eventually let me see the events related to it ?

0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...