i have a problem with maxmind application
when i use this query:
host="ids"|lookup geoip clientip as "Source Address"|table "Source Address" client_city
i am getting following error
"Script for lookup table 'geoip' returned error code 1. Results may be incorrect."
I removed the lookup field, but now I am getting error "Unknown search command 'geoip'"
before using lookup we have to create anything for that query..
i am new to splunk pls help me..
thanks in advance..
Here is how you do that:
... | lookup geoip clientip AS IP | table client IP client
Where IP is the name of your IP address field in your search/index/sourcetype and clientip is a field name that is input to the geoip lookup (which means it has to be there. When you run the table command after the lookup is done there are a number of fields available to you. By doing
client_* you get them all. If you want just certain of the fields, change the
client_* to a list of the fields you want (i.e., client_city, client_region, client_country_code3, etc.).
iplocation command will output city and country fields as well. Just update the DB to whatever MaxMind DB you need as described in the Splunk Blog post I linked to earlier.
if i want use maxmind db for my Source address.
i think i have to create lookup for that field. then only lookup geoip command will work? is it correct or is there any way to sort it out....
This App seems to be really useful for updating the latest mmdb file - https://splunkbase.splunk.com/app/5482/.
The App auto-updates the MaxMind database without going into the backend. It also allows you to run a search command on Splunk search to manually download and update the latest database.
As suggested in http://answers.splunk.com/answers/147645/why-am-i-getting-all-public-ip-addresses-as-private-using-m... you should consider using the Splunk 6 built-in command
iplocation for resolving IP addresses to geoinformation. See http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/iplocation for reference.