Hi all, I'm using the Missile map to visualize several IP locations but the result has a weird place: It shows there's a bunch of IP addresses near Africa but I'm pretty sure there's no place near Africa in my case. Cuz when I use
..|iplocation FromIPAddr | geostats count by Country to test there's no way near Africa. But now it looks like this:
Now I have two possible guess:
1. The place is not exactly a country so when I used above command to search it's not included.
2. It's the bridge IP.(But I'm sure no bridge IP would be included in raw data)
So how do I identify it?Thanks!
The geographical point in your screenshot is 0,0.
My guess is that some IP addresses with undetermined locations are being put there. You may have to take some steps in your query to exclude or otherwise deal with such addresses.
If your Splunk is not up-to-date then also consider updating the iplocation database separately to get better geo resolution of addresses. You can download the latest db from https://dev.maxmind.com/geoip/geoip2/geolite2/ and point to it in your limits.conf.
Also, your IP's address need to be public ones to be able to use
iplocation otherwise you need to create a lookup for your private ranges and use the lookup like in this answer https://answers.splunk.com/answers/616913/how-can-i-use-geolocation-of-a-private-ip-space.html
Yes you are right! I used several IP location tools to check input IP but only this one cannot be identified because of "private IP". THANKS A LOT!
Thank u for your quick response! btw, could u please tell me how you know the geographical point? And if this IP address is not identified, how do I exclude it from the string?
The geographical point is from the Maxmind database, which is updated relatively frequently with the geographical locations of all known IP ranges. The free version is bundled with Splunk, but you may need to update it yourself if you are not updating Splunk regularly.
There's a fairly good description in the iplocation command reference: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Iplocation
To completely exclude a non-mappable IP I typically just exclude anything that did not get a "Country" field. e.g.:
<search> | iplocation src_ip | search NOT Country=* | ...
Or something similar.