Solved: Re: geoasn APP fields not populating

sonicZ · ‎05-11-2012

Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn

I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work

[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown

However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip

Lookup file and app permissions are all set to global read/write but no change with the new fields populating.

briang67 · ‎05-14-2012

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

View solution in original post

sonicZ · ‎05-14-2012

hey Ayn, yeah i did a | rename clientip as ip and it seems to work.

briang67 · ‎05-14-2012

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

sonicZ · ‎05-14-2012

yep that was it lookup was looking for "ip" field while access_combined defaults to clientip

Ayn · ‎05-11-2012

Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...

geoasn APP fields not populating

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!