sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country
You can easily change client_country with src_ip to start dropping the ban-hammer as well.
Jan 7, 2011
Splunk GEOIP Lookup
Here's a great Splunk feature. Using this query you can see what countries are hammering your boxes and make nice graphs for the boss.
sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country
You can easily change client_country with src_ip to start dropping the ban-hammer as well.
sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country
You can easily change client_country with src_ip to start dropping the ban-hammer as well.
