All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I use iplocation with an ip address I get from a dbxquery?

jhdietz
New Member
‎07-11-2017 11:39 AM

Can I use iplocation with an ip address I get from a dbxquery?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 01:34 PM

Looking at your search again, I see that you have multiple typos in there.
It should be | iplocation remoteaddr instead of |iplocation = remotaddr (no equals sign and properly spelled field name).

I just tried this and it works just fine:

| makeresults | eval remoteaddr="50.26.126.246" | iplocation remoteaddr | geostats latfield=lat longfield=lon

Please ensure you are using the correct syntax and try again.

0 Karma
Reply

jhdietz
New Member
‎07-12-2017 08:46 AM

I got this working, the remoteaddr field is case sensitive so it worked after I use REMOTEADDR

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-12-2017 04:01 PM

🙂
Thanks for providing the update!

Yes, all Splunk field names are case-sensitive, field values are not.

BTW, geostats does not create latitude and longitude, it requires it as input args. Which is why you should see a lat and long field after running iplocation successfully.

0 Karma
Reply

jhdietz
New Member
‎07-12-2017 04:16 AM

Can you test using dbxquery? I get the same results with the "iplocation remoteaddr" syntax. I get nearly 12k worth of stats but no latitude or longitude when I add "| geostats latfield=lat longfield=lon"

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 11:49 AM

Yes. As long as you have a field that contains an ip address, I see no reason why we care where it came from.

0 Karma
Reply

jhdietz
New Member
‎07-11-2017 12:14 PM

iplocation does work by itself but not with geostats

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 12:23 PM

Share your search example and/or screenshot?
Do you have latitude/longitude fields in your events after using iplocation?

0 Karma
Reply

jhdietz
New Member
‎07-11-2017 12:52 PM

I don't have the lat/lon fields in my events and I can't attach a screenshot so here is my search:

|dbxquery connection=db.connection query="select remoteaddr from table" shortnames = t
|iplocation = remotaddr
|geostats latfield=lat longfield=lon globallimit=0

No results found.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 01:05 PM

Do you get any events without specifying the | geostats command and do those events have the fields "lat" and "lon" that you specified for geostats?

0 Karma
Reply

jhdietz
New Member
‎07-11-2017 01:08 PM

I get stats without specifying the geostats command

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 01:27 PM

and do those events have the fields "lat" and "lon" that you specified for geostats?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...