Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: map visulization with lookup table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers !
i wanted to visualize data on map so i used this command and it worked:
index=myFirewall | stats count by src_ip | iplocation src_ip | geostats count by Country
but i want to show countries on map from a predefined list, so have a called "blacklisted.csv" that looks like this:
| blacklisted_countries | |
| 1 | country1 |
| 2 | country2 |
| 3 | country3 |
| 4 | country4 |
| 5 | country5 |
so i wrote a a search to combine the aforementioned search from the lookup table using this command:
index=myFirewall [ | inputlookup blacklisted.csv | search blacklisted_countries=srccountry] | stats count by src_ip | iplocation src_ip | geostats count by Country
but it didn't give me any results, please help me with it, i want a search the combines visualizing source countries with lookup tables.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may help..
index=myFirewall [ | inputlookup blacklisted.csv| fields blacklisted_countries | rename blacklisted_countries as srccountry] | stats count by src_ip | iplocation src_ip | geostats count by Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
exactly ! thanks splunker mate ^_^
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Looks like you need to do the iplocation before hand, as the data doesnt yet contain the Country info until you do. This may not be the most efficient, but try this to get started, it worked for me:
index=myFirewall | iplocation clientip | lookup blacklisted.csv blacklisted_countries AS Country OUTPUT blacklisted_countries AS Country | geostats count by Country
I created a lookup called blacklisted.csv with a column called blacklisted_countries which contain the list of countries. Ensure the names are initial caps. so Spain, not spain.
Also, not sure why you were doing the stats count by src_ip first, since the geostats is doing a count by country anyway, and that stats command will be removing all the fields aside from src_ip too. So I just took it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This may help..
index=myFirewall [ | inputlookup blacklisted.csv| fields blacklisted_countries | rename blacklisted_countries as srccountry] | stats count by src_ip | iplocation src_ip | geostats count by Country
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
