Hello thank you for your replies.
From them i was able to get the search query from the maps part as mentioned above and get further along with troubleshooting this.
clicking on the job inspector button i was able to get the search query as mentioned in your replies.
search eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" | eval isLocalIP=case(cidrmatch("10.0.0.0/8", src_ip),1,cidrmatch("172.12.0.0/12", src_ip),1,cidrmatch("192.168.0.0/16", src_ip),1,cidrmatch("169.254.0.0/16", src_ip),1,cidrmatch("fe80::/64", src_ip),1,cidrmatch("fec0::/10", src_ip),1,cidrmatch("fc00::/7", src_ip),1,src_ip=="0.0.0.0",1,isnotnull(src_ip),0) | where isLocalIP!=1 AND isnotnull(threat_reason) AND threat_reason!="-" | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
On the job inspector screen it indicates that it fails up to this part.
stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon count by Country
i was able to figure out that splunk/cisco app isn't parsing my firewall syslog events as eventtype=cisco-security-events but as eventtype=cisco_connection
I tried swapping the cisco-security-events for cisco_connection in the original search query but it failed as well.
i was able to run this query and get the long and lats of the source IP addresses, but couldn't figure out how to stick the results to a map.
sourcetype="cisco:asa" src_ip="*" | iplocation src_ip | stats count by src_ip | iplocation src_ip | geostats latfield=lat longfield=lon
i'm thinking this is because i'm not using a ASA/PIX firewall but using a cisco router to to foward these syslogs and the format may be a bit different between the two. I was hoping that this wasn't going to cause a issue because i thought these syslogs are identical.
any ideas if this issue can be easily fixed or best route on fixing this?
Thanks
... View more