All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

geoasn APP fields not populating

sonicZ
Contributor
‎05-11-2012 04:25 PM

Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn

I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work 

[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown

However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip

Lookup file and app permissions are all set to global read/write but no change with the new fields populating.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

briang67
Communicator
‎05-14-2012 11:39 AM

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

View solution in original post

Reply
Solved! Jump to solution

sonicZ
Contributor
‎05-14-2012 12:25 PM

hey Ayn, yeah i did a | rename clientip as ip and it seems to work.

0 Karma
Reply
Solved! Jump to solution
Solution

briang67
Communicator
‎05-14-2012 11:39 AM

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

Reply
Solved! Jump to solution

sonicZ
Contributor
‎05-14-2012 12:29 PM

yep that was it lookup was looking for "ip" field while access_combined defaults to clientip

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-11-2012 11:53 PM

Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...