topic Re: Google maps finds a specific IP in multiple areas in Splunk Search

Google maps finds a specific IP in multiple areas

evang_26 — Mon, 09 Dec 2013 10:42:15 GMT

Hello Splunk users,

It is not a long time since I started using Splunk. I have Google Maps API installed and I am trying to locate the location of IPs in my logs.
As an example of the queries I apply I give you the following 2:

1) sourcetype=LogEvents | geoip clientip=12.34.56.78
Above query returns me thousands of logs. However, with the specific IP there is only 1 (one) log in reality. Last, even though it returns me so much logs, in the map there are only about 20 dots with location.

2) sourcetype=LogEvents remote access failed | geoip clientip=12.34.56.78
Above query works fine in terms that it returns me the correct number of failed logs. The thing is however, that again not all returned logs belong to that IP address. Are only the "failed" logs as defined by the query.

Any, any thoughts, are greatly appreciated!
Best regards,
Evangelos

Re: Google maps finds a specific IP in multiple areas

martin_mueller — Mon, 09 Dec 2013 11:06:25 GMT

What are you trying to achieve by specifying a concrete IP when calling geoip?

Also, you should take a look at Splunk 6 - that comes with a built-in iplocation command.

Re: Google maps finds a specific IP in multiple areas

evang_26 — Mon, 09 Dec 2013 11:09:55 GMT

Hi Martin,

Thanks commenting this out. What I am trying to do is to find the location from where a specific IP created a log.

I currently have installed v5.0.2. I think it would be quite difficult to unistall and install from the scratch at 6 version.

Regards,
Evangelos

Re: Google maps finds a specific IP in multiple areas

martin_mueller — Mon, 09 Dec 2013 11:12:44 GMT

If you want to filter by clientip then you can do that before the first pipe.

As for upgrading to 6, that's easy as can be. Just do an upgrade install, no need to uninstall first. Always keep an up-to-date backup of course 🙂

Re: Google maps finds a specific IP in multiple areas

evang_26 — Mon, 09 Dec 2013 11:25:53 GMT

Okay, that seems to be working as for now, part of it at least.
What I did is this: sourcetype=LogEvents remote access failed 12.34.56.78 | geoip

It now returns the correct number of logs, but not in the exact location, only country. Is this how it works?

I am considering the upgraide, but I am defering for now because I am newbie.

Re: Google maps finds a specific IP in multiple areas

martin_mueller — Mon, 09 Dec 2013 11:37:39 GMT

Precision varies, resolving IP to location is not an exact science.