Solved: geoasn APP fields not populating

sonicZ · ‎05-11-2012

Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn

I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work

[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown

However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip

Lookup file and app permissions are all set to global read/write but no change with the new fields populating.

briang67 · ‎05-14-2012

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

View solution in original post

sonicZ · ‎05-14-2012

hey Ayn, yeah i did a | rename clientip as ip and it seems to work.

briang67 · ‎05-14-2012

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

View solution in original post

sonicZ · ‎05-14-2012

yep that was it lookup was looking for "ip" field while access_combined defaults to clientip

Ayn · ‎05-11-2012

Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...

geoasn APP fields not populating

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>