Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: geoasn APP fields not populating
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn
I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work
[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown
However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip
Lookup file and app permissions are all set to global read/write but no change with the new fields populating.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey Ayn, yeah i did a | rename clientip as ip and it seems to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yep that was it lookup was looking for "ip" field while access_combined defaults to clientip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
