topic Re: Why do i get a no value in Country while using iplocation in Dashboards & Visualizations

Why do i get a no value in Country while using iplocation

sangs8788 — Wed, 22 Aug 2018 06:04:35 GMT

Hi,

With the below query i am able to list the country and request count by response time split.

wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| eval Latency=case(wall_time<500, "0-0.5s", wall_time>=500 AND wall_time<1000, "0.5s-1s",wall_time>=1000 AND wall_time<3000, "1s-3s", wall_time>=3000 AND wall_time<6000, "3s-6s",THREAD_WALL_MS>=4000 AND wall_time<10000, "6s-10s",wall_time>=10000 AND wall_time<30000, "10s-30s", wall_time>=30000, ">=30s")| chart span=1w count  as RequestCount over Country by Latency | sort -RequestCount, -Latency

But the query seems to be resulting 1 row with no value for the country field. Why is it so ? Anything i am missing out ?

Re: Why do i get a no value in Country while using iplocation

kamlesh_vaghela — Wed, 22 Aug 2018 06:18:35 GMT

@sangs8788,

iplocation: extracts location information from IP addresses by using 3rd-party databases. This command supports IPv4 and IPv6.

The IP address that you specify in the ip-address-fieldname argument, is looked up in the database. Fields from that database that contain location information are added to each event. The setting used for the allfields argument determines which fields are added to the events.

Because all the information might not be available for each IP address, an event can have empty field values.

For IP addresses which do not have a location, such as internal addresses, no fields are added.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description

Re: Why do i get a no value in Country while using iplocation

inventsekar — Wed, 22 Aug 2018 06:19:49 GMT

when you run this command, do you still get empty country for one row?!?!
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| chart span=1w count as RequestCount over Country | sort -RequestCount

or simply,
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress|table client_ipaddress, status, City, Country
choose time as needed

Re: Why do i get a no value in Country while using iplocation

inventsekar — Wed, 22 Aug 2018 06:20:41 GMT

Any ideas when the iplocations db was last updated?!?!

the procedure to update iplocations database...
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

Re: Why do i get a no value in Country while using iplocation

niketn — Wed, 22 Aug 2018 06:30:57 GMT

@sangs8788 while you should definitely try updating iplocation as mentioned by @inventsekar, but you should still maintain a list of IPs without Geo Location details and either mark them with respective IP addresses or as Unknown when Country is not mapped.

Re: Why do i get a no value in Country while using iplocation

sangs8788 — Wed, 22 Aug 2018 06:33:18 GMT

yes i do get.

Re: Why do i get a no value in Country while using iplocation

sangs8788 — Wed, 22 Aug 2018 06:35:22 GMT

@inventsekar I am not sure on that. Have to check with Ops team since i dont have the permission. But we got upgraded our Splunk recently. So ideally shouldnt it be up-to-date ?

Re: Why do i get a no value in Country while using iplocation

sangs8788 — Wed, 22 Aug 2018 06:36:02 GMT

@niketnilay I am trying to filter out few IPs by finding the location, but yea this sounds good for now. Thanks

Re: Why do i get a no value in Country while using iplocation

sangs8788 — Wed, 22 Aug 2018 06:38:23 GMT

Is that even possible ? run time can do an eval for the country and set country name based on IP address which is not getting listed ? something like below |eval Country = case(CLIENT_IP like "203.*", "Singapore", CLIENT_IP like "103.*", "China", CLIENT_IP like "199.*", "Czech Republic")

Re: Why do i get a no value in Country while using iplocation

niketn — Wed, 22 Aug 2018 06:46:17 GMT

GeoLite2 DB gets updated frequently, I just looked at recent version which is from 2018/08/07. So if your recent upgrade happened prior to that you would need to upgrade your MaxMind DB.

Re: Why do i get a no value in Country while using iplocation

sangs8788 — Wed, 22 Aug 2018 08:17:37 GMT

ok. Let me check on that. Thanks

Re: Why do i get a no value in Country while using iplocation

ManchitMalik — Wed, 22 Aug 2018 08:37:15 GMT

Those IPs are not tagged with any location so they are coming blank. You can go through the description of iplocation command in below url: https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description . There they have mentioned - "Because all the information might not be available for each IP address, an event can have empty field values." . Thanks