Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn
I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work
[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown
However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip
Lookup file and app permissions are all set to global read/write but no change with the new fields populating.
We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.
hey Ayn, yeah i did a | rename clientip as ip and it seems to work.
We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.
yep that was it lookup was looking for "ip" field while access_combined defaults to clientip
Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...