All Apps and Add-ons
Highlighted

Google Maps App - Mapping Deny's from Firewall

Builder

This is the current search that I am running, and it is working, but I think it is working only because it is finding the first IP address in the log, which happens to be the IP address I want anyway:

host="my host" action="Deny" | rex "(?\d+.\d+.\d+.\d+)" | geoip ip

How do I select the field that I want to map out? I am sure there will be instances in which the IP address I want to map out will not be the first one in the log.

I tried the following search, specifically selecting the field (which I extracted), and it doesn't work:

host="my host" action="Deny" SourceIP=* | rex "(?\d+.\d+.\d+.\d+)" | geoip ip

or

host="my host" action="Deny" SourceIP=* | rex "(?\d+.\d+.\d+.\d+)" | geoip ip as SourceIP

Thanks for any help!

0 Karma
Highlighted

Re: Google Maps App - Mapping Deny's from Firewall

Influencer

Since you seem to already have the SourceIP field extracted, you can simply use it:

host="my host" action="Deny" SourceIP=* | geoip SourceIP
0 Karma
Highlighted

Re: Google Maps App - Mapping Deny's from Firewall

Builder

Thanks for responding!

Yes, I did try that as well, and I get no results. It doesn't crash or error out, but no results.

0 Karma
Highlighted

Re: Google Maps App - Mapping Deny's from Firewall

Influencer

What values does this SourceIP field contain? Make sure there are not whitespaces around the IP address.

0 Karma