Hi again, @stakor,
I think there are a couple things going on here.
I'd start by seeing what the generated src_ip field looks like. You could run this much of your query:
| iplocation src_ip
| where Country="United States"
| stats count by src_ip
To see what the statistics table includes in the src_ip column. I suspect there is a mismatch between definitions in geo_us_states and the src_ip information that is preventing aggregated values being mapped on the US map.
Try extracting the IP field and using the geostats command to generate lat and longitude coordinates for the IP locations so that they can be mapped. We have a scenario that shows you how to extract an IP location field, derive latitude and longitude info from it, and use this info with mapping commands as part of creating a dashboard. In particular, these two parts are relevant to your situation:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Extractfields
https://docs.splunk.com/Documentation/Splunk/6.5.2/Scenarios/Adddrilldownpanels#Part_5:_Create_a_drilldown_map_showing_hacker_locations
There is also this Choropleth generation topic in our Dashboards and Visualizations manual:
http://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/ChoroplethGenerate
Based on these two docs resources, I put together this sample search with test data:
sourcetype=secure |dedup clientip | iplocation prefix=cip_ clientip | geostats latfield=cip_lat longfield=cip_lon | lookup geo_us_states longitude as longitude, latitude as latitude | stats count by featureId| geom geo_us_states
This generates the featureIds that are necessary for the geom command to render the map. You should be able to adapt this for your use case and generate the Choropleth map.
Hope this helps!
... View more