Jan 7, 2011

Splunk GEOIP Lookup

Here's a great Splunk feature. Using this query you can see what countries are hammering your boxes and make nice graphs for the boss.

sourcetype="linux_secure" name="Failed Password" | lookup geoip clientip as src_ip | timechart useother=false limit=5 count by client_country

You can easily change client_country with src_ip to start dropping the ban-hammer as well.