All Apps and Add-ons

How to you MAXMIND app to get GEOIP information regarding client_ip field in my logs.

ranjyotiprakash
Communicator

Hi,

I want to use MAXMIND app for extracting data about the client_ip. I don't know how to use the command to extract the information like country name, city name etc from a client_ip. client_ip is a field in the logs I have.

The logs are of this kind :

Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.744 -0700 barracuda TR 99.99.83.74 80 99.99.182.1 44728 "-" "-" GET HTTP 99.99.83.74 HTTP/1.0 404 791 163 0 0 99.99.83.74 80 0 "-" INTERNAL DEFAULT PROTECTED INVALID /index.html name=%3Cscript%3EHi_Chandradip%3C/script%3E "-" "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44728 "-" "-" "-" "-"

The ip in Bold letters is the "client_ip" field.

and I want to extract the information regarding the client_ip field. How to write the search command for this??

Please help me out with this.

Thanks.

0 Karma
1 Solution

ziegfried
Influencer

As I understood, you already have the field extraction working, so you can simply use the lookup command:

<your search> | lookup geoip clientip as client_ip | table client*

View solution in original post

wrangler2x
Motivator

What ziegfried said is exactly how to use it. You can also simplify it even more by creating a macro (Manager->Macros). I have one called geoip, and I'd use it this way (the macro puts the first pipe in for you):

... geoip | ...

I have a search that looks at logs in created by syslog messages sent from our campus web authentication server. I want to see where the login failed and then for the IP that caused the failure see what user-ids were being used. So the IP has multi-valued user-ids associated with it. Here is that search (the fields that start with 'auth' are field extracts I created for these logs):

index="syslogs" auth_action="login" auth_success="N" `geoip`
| stats dc(auth_userid) AS UNIQUE List(auth_userid) AS "UserID" by auth_ip client_country_code client_city
| rename client_city AS City
| rename client_country_code AS CC
| search UNIQUE > 1
| sort -UNIQUE
| head 30

Here is the first record of the search results so you can see what it looks like:

    webauth_ip      CC  City            UNIQUE       UserID
1   204.108.65.120  US  Los Angeles     10           blowfish1
                                                     blowfish1
                                                     blowfish1
                                                     blowfishz
                                                     blowfishx
                                                     blowfisho
                                                     rehher2
                                                     rehher2
                                                     rehherr2
                                                     rehherrz
                                                     rehherz
                                                     grehher2
                                                     racigea

There are 14 failed attempts there, but only 10 unique user-ids.

0 Karma

ziegfried
Influencer

As I understood, you already have the field extraction working, so you can simply use the lookup command:

<your search> | lookup geoip clientip as client_ip | table client*

brettcave
Builder

You can also specify what fields to output:

Supported fields: clientip client_country client_region client_city client_lat client_lon

... | lookup geoip clientip as YourIPField OUTPUT client_city as City | table YourIPField City
0 Karma

ranjyotiprakash
Communicator

Thanks a lot for the answer !!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...