This simple query will show if IIS traffic came to a given site from three geographical possibilities: “United States” “International” or “Unknown” sources. This relies entirely on geoip lookup. You can change the country of “United States” to anything you desire for you own data set (just make the change in the eval section below!).
sourcetype="iis" | iplocation c_ip | fillnull value="Unknown" Country | eval GeoLocation=case(Country="United States", "Views from the United States", Country="Unknown", "Views from Unknown Origins", Country!="United States" AND Country!="Unknown", "International Views") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %" | rename GeoLocation as "Visitor Nationality" | rename percent as Percent | fields - count
all of mine show as unknown location, can you help me figure out what I am doing wrong ? I have around 5k iis web servers.
Make sure there are no unique fields extracted. Ensure some of the search works and then add to it. Start with this: “sourcetype=”iis” | iplocation c_ip ” and continue to add sections until it doesn’t work anymore :) I’ll be back in the office on Monday and can take a look at my data to help!