Refine your search:

Need Help with Google Maps search string

0

Hi there, so I've tried almost every combination of search terms I can think of but I can not seem to get Maps to actually map anything out. Here is a sample of our IDP output:

Jul 17 19:05:27 130.184.1.23 Jul 17 19:05:27 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 218.248.240.178, destination: 130.184.251.102, zone name: Internet, interface name: reth2.324, action: drop

I am successfully extrating the field "screen_source" which in this case would be 218.248.240.178.

Some of the search strings I have tried: source="srx" |geoip screen_source -- returns a few matching events (not nearly enough, but no mapping)

source="srx" | lookup geo ip as screen_source -- seems to return the right number of matching events, but no mapping.

The best luck I've had is running: source="srx" |geoip screen_source="*" --this actually maps some IP's, but only maps the first IP it sees, the source of the syslog --130.184.1.23. Not very helpful.

One more thing, on the first two searches there is no data in the GeoResults and Events tabs. The Events tab does contain the following error: "[EventsViewer module] year is out of range"

Any ideas? Thanks!

asked 17 Jul '11, 17:20

sab057's gravatar image

sab057
343
accept rate: 0%

edited 18 Jul '11, 02:11

ziegfried's gravatar image

ziegfried ♦
7.1k1315
One Answer:
oldestnewestmost voted
1

Seems like your extraction does not work as you might expect. Could provide the extract extraction definition? What do you mean by "no mapping"?

The last search probably does not what you would want it to do. geoip screen_source="*" does exactly the same as simply calling geoip since screen_source is not a valid option. When you're passing an argument in the form of <key>=<value> it's interpreted as option not as a keyword/argument.

link

answered 18 Jul '11, 02:18

ziegfried's gravatar image

ziegfried ♦
7.1k1315
accept rate: 53%

Hi Ziegfried, here is the regex for screen_source:

(?i) source: (?P<screen_source>[^,]+)

And my "no mapping" I mean that nothing shows up on the google maps map, within the app running the queries I referenced above. (save for the last query which deos maps, but just not the right IP).

(18 Jul '11, 09:23) sab057
1

Is the extraction visible in the maps app? Did you turn on global sharing for it?

(02 Aug '11, 07:56) ziegfried ♦

This ended up being the problem, the extraction wasn't visible to the maps app. Thanks for responding!

(11 Aug '11, 14:52) sab057
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

Asked: 17 Jul '11, 17:20

Seen: 678 times

Last updated: 11 Aug '11, 14:52

Related questions

simple question about google maps app and how to work with

Search crashes when using Google Maps geoip command

help with a simple search on Google Maps

Does PDF Report Server support Google Maps app search results?

Google Maps syslog data not showing on map

Possible? Fog map in google maps app?

Help with Google Maps using stats count instead of event count

I can't find Google maps moudles

Google Maps Dashboard Layout

Copyright © 2005-2012 Splunk, Inc. All rights reserved.