Hi,
I want to use MAXMIND app for extracting data about the client_ip. I don't know how to use the command to extract the information like country name, city name etc from a client_ip. client_ip is a field in the logs I have.
The logs are of this kind :
Apr 24 18:37:07 10.11.26.83 2012-04-24 06:07:09.744 -0700 barracuda TR 99.99.83.74 80 99.99.182.1 44728 "-" "-" GET HTTP 99.99.83.74 HTTP/1.0 404 791 163 0 0 99.99.83.74 80 0 "-" INTERNAL DEFAULT PROTECTED INVALID /index.html name=%3Cscript%3EHi_Chandradip%3C/script%3E "-" "-" "Wget/1.12 (linux-gnu)" 99.99.182.1 44728 "-" "-" "-" "-"
The ip in Bold letters is the "client_ip" field.
and I want to extract the information regarding the client_ip field. How to write the search command for this??
Please help me out with this.
Thanks.
As I understood, you already have the field extraction working, so you can simply use the lookup command:
<your search> | lookup geoip clientip as client_ip | table client*
What ziegfried said is exactly how to use it. You can also simplify it even more by creating a macro (Manager->Macros). I have one called geoip, and I'd use it this way (the macro puts the first pipe in for you):
... geoip
| ...
I have a search that looks at logs in created by syslog messages sent from our campus web authentication server. I want to see where the login failed and then for the IP that caused the failure see what user-ids were being used. So the IP has multi-valued user-ids associated with it. Here is that search (the fields that start with 'auth' are field extracts I created for these logs):
index="syslogs" auth_action="login" auth_success="N" `geoip`
| stats dc(auth_userid) AS UNIQUE List(auth_userid) AS "UserID" by auth_ip client_country_code client_city
| rename client_city AS City
| rename client_country_code AS CC
| search UNIQUE > 1
| sort -UNIQUE
| head 30
Here is the first record of the search results so you can see what it looks like:
webauth_ip CC City UNIQUE UserID
1 204.108.65.120 US Los Angeles 10 blowfish1
blowfish1
blowfish1
blowfishz
blowfishx
blowfisho
rehher2
rehher2
rehherr2
rehherrz
rehherz
grehher2
racigea
There are 14 failed attempts there, but only 10 unique user-ids.
As I understood, you already have the field extraction working, so you can simply use the lookup command:
<your search> | lookup geoip clientip as client_ip | table client*
You can also specify what fields to output:
Supported fields: clientip client_country client_region client_city client_lat client_lon
... | lookup geoip clientip as YourIPField OUTPUT client_city as City | table YourIPField City
Thanks a lot for the answer !!