- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Map internal IPs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having a bit of trouble mapping internal IPs. I'm sure I'm just doing something dumb, but I'd love someone to verify that.
I have this lookup:
dest_ip,_lat,_lng
192.168.1.0/24,38.8951,-77.0363
and this transform:
[geoip_internal]
filename = geoip_internal.csv
match_type = CIDR(dest_ip)
And then this search:
dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip
Within Google Maps, I don't get any markers plotted out, but I do get this info under the "Geo Results" link:
location geo_position count
n/a 38.8951,-77.0363 17
I'm not sure if I should expect the location to be populated or not, but geo_position looks ok, and the count looks right, so what am I missing? Why don't I have any markers plotted?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that the module does not append the | geonormalize command automatically in the new version. The postprocess for the "Geo Results" table does append it, though. Since the new module now expects a combined latitude/longitude value in the _geo field (the old one expected the _lat and _lng field) you have to either append the geonormalize to your search:
dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip | geonormalize
or even better, modify your lookup to emit the combined _geo value:
dest_ip,_geo
192.168.1.0/24,"38.8951,-77.0363"
(note the quotes around the lat/lon value)
Additinally, you can specify a "geo_info" column in your lookup with a label that will appear in the "location" column of the "Geo results" table:
dest_ip,geo_info,_geo
192.168.1.0/24,"Washington DC","38.8951,-77.0363"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that the module does not append the | geonormalize command automatically in the new version. The postprocess for the "Geo Results" table does append it, though. Since the new module now expects a combined latitude/longitude value in the _geo field (the old one expected the _lat and _lng field) you have to either append the geonormalize to your search:
dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip | geonormalize
or even better, modify your lookup to emit the combined _geo value:
dest_ip,_geo
192.168.1.0/24,"38.8951,-77.0363"
(note the quotes around the lat/lon value)
Additinally, you can specify a "geo_info" column in your lookup with a label that will appear in the "location" column of the "Geo results" table:
dest_ip,geo_info,_geo
192.168.1.0/24,"Washington DC","38.8951,-77.0363"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do have this working and it is awesome, but I have 2 questions:
1: Can I get the location data on other views/dashboards?
1.5: If so how?
2: Can I put the other info such as region_name & postal_code in there and retrieve it with geo lookups?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Thanks so much, and thanks for putting together such a sweet app!
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
