topic Re: refining search after lookup command in Splunk Search

refining search after lookup command

gjohnson — Mon, 28 Sep 2020 14:46:15 GMT

Forgive me if this has been asked before, but I am trying to do a lookup using geoip (maxmind database) to resolve IP's to countries, which works great. This is what I have so far

sourcetype="fsisac-2" | lookup geoip clientip as IP

In my field list I now have a "client_country" field. I now want to add "client_country=germany" to the query, but whether I add this at the end, or before the Pipe. How do I construct the query to now only show me IP's that are coming from Germany?

TIA

Re: refining search after lookup command

sowings — Fri, 13 Sep 2013 01:59:58 GMT

After lookup, add | search client_country="germany". Just that easy!

Re: refining search after lookup command

gjohnson — Fri, 13 Sep 2013 02:42:48 GMT

That is exactly it! I would not have thought to have add the word "search" back onto the search bar - probably just late at night for me. Thanks again!

Re: refining search after lookup command

sowings — Fri, 13 Sep 2013 03:06:33 GMT

Excellent. If that worked for you, consider clicking the checkmark next to the response, so that others can know that it's a working solution. Happy Splunking!