All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

geoasn APP fields not populating

sonicZ
Contributor
‎05-11-2012 04:25 PM

Having some trouble getting the GeoASN app working in my lab environment
http://splunk-base.splunk.com/apps/22284/geoasn

I followed the instructions to compile and copy the C SDK, Python SDK to my search head
testing via command line seems to work 

[root@spweb2-s1-inf bin]# /app/splunk/bin/splunk cmd python ga.py < ga.csv
ip,country,asn,org
200.148.108.124,Brazil,27699,DE SAO PAULO S/A - TELESP
203.129.108.100,Japan,10000,Nagasaki Cable Media Inc.
192.168.10.10,RFC1918,0,RFC1918
10.10.20.20,RFC1918,0,RFC1918
172.10.20.30,Unknown,0,Unknown
172.19.20.21,RFC1918,0,RFC1918
172.32.1.1,Unknown,0,Unknown
172.31.1.1,RFC1918,0,RFC1918
172.33.1.1,Unknown,0,Unknown

However testing in the ui does not populate the country, asn fields etc
sourcetype="access_combined" | lookup ga ip

Lookup file and app permissions are all set to global read/write but no change with the new fields populating.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

briang67
Communicator
‎05-14-2012 11:39 AM

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

View solution in original post

Reply
Solved! Jump to solution

sonicZ
Contributor
‎05-14-2012 12:25 PM

hey Ayn, yeah i did a | rename clientip as ip and it seems to work.

0 Karma
Reply
Solved! Jump to solution
Solution

briang67
Communicator
‎05-14-2012 11:39 AM

We're using the google maps app which also uses the maxmind geoip db,and in our case access_combined is sourcetyping the IP as clientip.

Reply
Solved! Jump to solution

sonicZ
Contributor
‎05-14-2012 12:29 PM

yep that was it lookup was looking for "ip" field while access_combined defaults to clientip

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-11-2012 11:53 PM

Does the "ip" field really exist for the access_combined sourcetype? I recall it being called something else...

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...