All Apps and Add-ons

Missile map show strange location

dannili
Communicator

Hi all, I'm using the Missile map to visualize several IP locations but the result has a weird place: It shows there's a bunch of IP addresses near Africa but I'm pretty sure there's no place near Africa in my case. Cuz when I use ..|iplocation FromIPAddr | geostats count by Country to test there's no way near Africa. But now it looks like this:

alt text

Now I have two possible guess:
1. The place is not exactly a country so when I used above command to search it's not included.
2. It's the bridge IP.(But I'm sure no bridge IP would be included in raw data)

So how do I identify it?Thanks!

0 Karma
1 Solution

luke_monahan
Path Finder

The geographical point in your screenshot is 0,0.

My guess is that some IP addresses with undetermined locations are being put there. You may have to take some steps in your query to exclude or otherwise deal with such addresses.

If your Splunk is not up-to-date then also consider updating the iplocation database separately to get better geo resolution of addresses. You can download the latest db from https://dev.maxmind.com/geoip/geoip2/geolite2/ and point to it in your limits.conf.

View solution in original post

luke_monahan
Path Finder

The geographical point in your screenshot is 0,0.

My guess is that some IP addresses with undetermined locations are being put there. You may have to take some steps in your query to exclude or otherwise deal with such addresses.

If your Splunk is not up-to-date then also consider updating the iplocation database separately to get better geo resolution of addresses. You can download the latest db from https://dev.maxmind.com/geoip/geoip2/geolite2/ and point to it in your limits.conf.

dannili
Communicator

Thank u for your quick response! btw, could u please tell me how you know the geographical point? And if this IP address is not identified, how do I exclude it from the string?

0 Karma

luke_monahan
Path Finder

The geographical point is from the Maxmind database, which is updated relatively frequently with the geographical locations of all known IP ranges. The free version is bundled with Splunk, but you may need to update it yourself if you are not updating Splunk regularly.

There's a fairly good description in the iplocation command reference: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Iplocation

To completely exclude a non-mappable IP I typically just exclude anything that did not get a "Country" field. e.g.:

<search> | iplocation src_ip | search NOT Country=* | ...

Or something similar.

0 Karma

dannili
Communicator

Thank you for your detailed explanation!

0 Karma

MuS
Legend

Also, your IP's address need to be public ones to be able to use iplocation otherwise you need to create a lookup for your private ranges and use the lookup like in this answer https://answers.splunk.com/answers/616913/how-can-i-use-geolocation-of-a-private-ip-space.html

cheers, MuS

0 Karma

dannili
Communicator

Yes you are right! I used several IP location tools to check input IP but only this one cannot be identified because of "private IP". THANKS A LOT!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...