https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655258#M226355 <P>Does ClientIP hold a valid IP address?</P><P>Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?</P> Wed, 23 Aug 2023 06:42:09 GMT ITWhisperer 2023-08-23T06:42:09Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655253#M226352 <P>index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation ClientIP | table UserId ClientIP DisplayName status Country</P> <P>&nbsp;</P> <P>when i run the above command , i am not able to get the country. country is blank.</P> <P>&nbsp;</P> <P><SPAN>| makeresults | eval myip="2001:4860:4860::8888" | iplocation myip</SPAN></P> <P>however, when i run this, it is able to show me the country. Can you help me to make the above first command work so that country will be shown?</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Aug 2023 19:50:08 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655253#M226352 sulaimancds 2023-08-23T19:50:08Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655258#M226355 <P>Does ClientIP hold a valid IP address?</P><P>Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?</P> Wed, 23 Aug 2023 06:42:09 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655258#M226355 ITWhisperer 2023-08-23T06:42:09Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655261#M226358 <P>yes it is able to get the country i try it the the makeresults query</P> Wed, 23 Aug 2023 06:56:54 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655261#M226358 sulaimancds 2023-08-23T06:56:54Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655276#M226365 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>are you sure that the fieldname, after the spath command is exactly "<SPAN>ClientIP&nbsp;"?</SPAN></P><P><SPAN>Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.</SPAN></P><LI-CODE lang="markup">index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation &lt;your_ClientIP_fieldname&gt; | table UserId ClientIP DisplayName status Country</LI-CODE><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Wed, 23 Aug 2023 07:45:50 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655276#M226365 gcusello 2023-08-23T07:45:50Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655277#M226366 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;wrote:<BR /><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>are you sure that the fieldname, after the spath command is exactly "<SPAN>ClientIP&nbsp;"?</SPAN></P><P><SPAN>Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.</SPAN></P></BLOCKQUOTE><P>&nbsp;</P><LI-CODE lang="markup">index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation &lt;your_ClientIP_fieldname&gt; | table UserId ClientIP DisplayName status Country</LI-CODE><P>&nbsp;</P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P><HR /><P>HI it does not work, this is my original command before inserting. IPLocation</P><P>&nbsp;</P><P>index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication<BR />| spath<BR />| table UserId ClientIP DisplayName</P><P>&nbsp;</P><P>example</P><P>userid&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ClientIP&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; displayname</P><P><A href="mailto:abc@gamil.com" target="_blank" rel="noopener">abc@gamil.com</A>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1.1.1.1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; abcpc</P><P>&nbsp;</P><P>need help work to show country of the ClientIP</P> Wed, 23 Aug 2023 07:58:45 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655277#M226366 sulaimancds 2023-08-23T07:58:45Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655278#M226367 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>as I said, the usual issue is that the field name used in the iplocation command isn't exactly the one you have from your logs, for this reason I hinted to check the field names,</P><P>also because the spath command has always field names more structured (e.g. event.access.ip{}), but if your search extracts the ClientIP you could try to use it.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Aug 2023 08:10:12 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655278#M226367 gcusello 2023-08-23T08:10:12Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655279#M226368 <P>hi i try with iplocation ClientIP it does not work</P> Wed, 23 Aug 2023 08:15:07 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655279#M226368 sulaimancds 2023-08-23T08:15:07Z https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655280#M226369 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254197">@sulaimancds</a>,</P><P>please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Aug 2023 08:21:28 GMT https://community.splunk.com/t5/Splunk-Search/iplocation-query-How-to-show-the-country-with-this-search/m-p/655280#M226369 gcusello 2023-08-23T08:21:28Z