use amMap without a lookup?

Question

amMap works fine using a lookup, but what if the data already has the client_city, client_region, client_country, client_lon, and client_lat in the events as fields?

I would like to map these events without generating a lookup table.

Answer 1

That will work as well. Whether you use maxmind, a custom CSV, or the search language ... the goal is the same: Make sure mapit has what it needs to plot your data on an amMap. Here is an example of plotting two points exclusively using the search language, sans lookup(s):

| stats count | eval count=1000| eval ip="127.0.0.1" | eval client_city="Santa Claus" | eval client_region="IN" | eval client_country="USA" | eval client_lon="-86.913958" | eval client_lat="38.120445" | eval movie_color="#FF0000" 
| append [| stats count | eval count=100| eval ip="10.0.0.1" | eval client_city="RMS" | eval client_region="Titanic" | eval client_country="Atlantic" | eval client_lon=-41 | eval client_lat=49 | eval movie_color="#8b8b8b"] 
| eval iterator="ip" | eval iterator_label="match or IP" | eval count_label="count" | eval output_file="home_threat_data.xml" | eval app="amMap" | mapit

use amMap without a lookup?

Follow this question

Splunk Resources

Related questions