topic Using lookup file to update field value in Splunk Search https://community.splunk.com/t5/Splunk-Search/Using-lookup-file-to-update-field-value/m-p/265824#M176847 <P>Hi Everyone,<BR /> My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some info from my netwrok team, saying these ip's are coming from these countries like that. For that data, I have created lookup file (format of csv) which contains c_ip, State, Location and Country. Now using query I wanted to update Country value which is there in iis or displaying purpose.</P> <P>index=default sourcetype=iis|iplocation c_ip| geostats count by Country</P> <P>Here by default Country field is empty.</P> <P>Created Lookup table</P> <P>|inputlookup geo_sample_ip_countries.csv</P> <P>here I will get </P> <P>c_ip State Location Country<BR /> 10.92.32.10 XXXXXXX XXXXX India</P> <P>Now I wanted to display Country geomap based on client ip (c_ip).</P> <P>I have tried using join query, it's not worked as expectations.</P> <P>Please suggest me on this.</P> Tue, 29 Sep 2020 10:53:03 GMT guruwells 2020-09-29T10:53:03Z Using lookup file to update field value https://community.splunk.com/t5/Splunk-Search/Using-lookup-file-to-update-field-value/m-p/265824#M176847 <P>Hi Everyone,<BR /> My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some info from my netwrok team, saying these ip's are coming from these countries like that. For that data, I have created lookup file (format of csv) which contains c_ip, State, Location and Country. Now using query I wanted to update Country value which is there in iis or displaying purpose.</P> <P>index=default sourcetype=iis|iplocation c_ip| geostats count by Country</P> <P>Here by default Country field is empty.</P> <P>Created Lookup table</P> <P>|inputlookup geo_sample_ip_countries.csv</P> <P>here I will get </P> <P>c_ip State Location Country<BR /> 10.92.32.10 XXXXXXX XXXXX India</P> <P>Now I wanted to display Country geomap based on client ip (c_ip).</P> <P>I have tried using join query, it's not worked as expectations.</P> <P>Please suggest me on this.</P> Tue, 29 Sep 2020 10:53:03 GMT https://community.splunk.com/t5/Splunk-Search/Using-lookup-file-to-update-field-value/m-p/265824#M176847 guruwells 2020-09-29T10:53:03Z Re: Using lookup file to update field value https://community.splunk.com/t5/Splunk-Search/Using-lookup-file-to-update-field-value/m-p/265825#M176848 <P>Try this. You will need to insure the format for Country is the same as the one returned by <CODE>iplocation</CODE> command.</P> <PRE><CODE>index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country </CODE></PRE> Tue, 06 Sep 2016 12:09:33 GMT https://community.splunk.com/t5/Splunk-Search/Using-lookup-file-to-update-field-value/m-p/265825#M176848 sundareshr 2016-09-06T12:09:33Z