Hiii guys
i have a problem with maxmind application
when i use this query:
host="ids"|lookup geoip clientip as "Source Address"|table "Source Address" client_city
i am getting following error
"Script for lookup table 'geoip' returned error code 1. Results may be incorrect."
I removed the lookup field, but now I am getting error "Unknown search command 'geoip'"
before using lookup we have to create anything for that query..
i am new to splunk pls help me..
thanks in advance..
Here is how you do that:
... | lookup geoip clientip AS IP | table client IP client
Where IP is the name of your IP address field in your search/index/sourcetype and clientip is a field name that is input to the geoip lookup (which means it has to be there. When you run the table command after the lookup is done there are a number of fields available to you. By doing client_*
you get them all. If you want just certain of the fields, change the client_*
to a list of the fields you want (i.e., client_city, client_region, client_country_code3, etc.).
use
index=xxx| iplocation src_ip | search xxx
All the best
The regular iplocation
command will output city and country fields as well. Just update the DB to whatever MaxMind DB you need as described in the Splunk Blog post I linked to earlier.
if i want use maxmind db for my Source address.
i think i have to create lookup for that field. then only lookup geoip command will work? is it correct or is there any way to sort it out....
maxmind db is same as splunk db
i cant say yes,
maxmind db get updated often but
splunk db uses maxmind db.
but i hope it will meet ur requirement.
i have a concern, is maxmind db is same as splunk db for country and city information
You can use a MaxMind DB with Splunk's iplocation
command.
http://blogs.splunk.com/2014/07/22/updating-the-iplocation-db/
This App seems to be really useful for updating the latest mmdb file - https://splunkbase.splunk.com/app/5482/.
The App auto-updates the MaxMind database without going into the backend. It also allows you to run a search command on Splunk search to manually download and update the latest database.
Was just going to tackle a project to do this, thanks for linking!
iplocation is for splunk database ..
but i need it in maxmind database
As suggested in http://answers.splunk.com/answers/147645/why-am-i-getting-all-public-ip-addresses-as-private-using-m... you should consider using the Splunk 6 built-in command iplocation
for resolving IP addresses to geoinformation. See http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/iplocation for reference.
error:
Script for lookup table 'geoip' returned error code 1. Results may be incorrect