All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

geoasn APP fields not populating

sonicZ
Contributor
‎05-11-2012 04:25 PM

Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn

I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work 

[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown

However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip

Lookup file and app permissions are all set to global read/write but no change with the new fields populating.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

briang67
Communicator
‎05-14-2012 11:39 AM

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

View solution in original post

Reply
Solved! Jump to solution

sonicZ
Contributor
‎05-14-2012 12:25 PM

hey Ayn, yeah i did a | rename clientip as ip and it seems to work.

0 Karma
Reply
Solved! Jump to solution
Solution

briang67
Communicator
‎05-14-2012 11:39 AM

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

Reply
Solved! Jump to solution

sonicZ
Contributor
‎05-14-2012 12:29 PM

yep that was it lookup was looking for "ip" field while access_combined defaults to clientip

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-11-2012 11:53 PM

Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...