Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

iplocation/geostats to show events from statistics tab.

prithvi08
Engager
‎01-16-2018 01:59 PM

Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following query.

index=firewalls | iplocation allfields=true src_ip | stats count by Country City

which works fine by giving me a table like:

Country | City | count
Albania | Durres | 5
Argentina | Abel | 7
.
.
.

when i click any of the city or country to view the events related to that specific region, the search extends like
index=firewalls Country=Albania | iplocation allfields=true src_ip |

which return zero results because the filed Country comes before iplocation command. i know i can search it manually by entering it at the end of the search query like.
index=firewalls | iplocation allfields=true src_ip |search Country=Albania

but im running the query on a dsashboard which returns the count for each country ,city and i want to view the event directly by clicking the respective country from the dashboard. How can i do that ? Pls advice

Tags (2)
0 Karma
Reply

mayurr98
Super Champion
‎01-17-2018 12:28 AM

hey try this XML just plug and play

<form>
  <label>my dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=firewalls | iplocation allfields=true src_ip | stats count by Country City</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <link target="_blank">search?q=index=firewalls | iplocation allfields=true src_ip | search Country="$row.Country$"&amp;earliest=$field1.earliest$&amp;latest=$field1.latest$</link>
        </drilldown>
      </table>
    </panel>
  </row>
</form>

let me know if this helps !

0 Karma
Reply

prithvi08
Engager
‎01-17-2018 12:52 PM

Hey..the page gets stuck loading. It doesn't seems be working.i can only see the title and its frozen at loading .

0 Karma
Reply

DalJeanis
Legend
‎01-16-2018 05:05 PM

In a dashboard, you could use the above search as a base search and then do postprocessing to select the country from a dropdown.

0 Karma
Reply

prithvi08
Engager
‎01-16-2018 07:48 PM

The above search woudnt result in a table and do mean to say selecting country from dropdown list ? how do i do that ? would it eventually let me see the events related to it ?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...