Description: This query gets all collection titles in your instance, then runs a map function on them to get their fields from a single query. The reason this is necessary is because the API returns collection fields as columns, not values, and if you just table all fields for multiple collections, you’ll end up with […]
sourcetype=access_combined | iplocation sourceIP | stats dc(sourceIP) by Country | geom geo_countries featureIdField=”Country” earliest=-24h Note that ‘sourceIP’ is the name for the IP field. You may already have another fieldname for that extraction. Tested on Splunk Light.