Re: help with a simple search on Google Maps

surban99 · ‎05-27-2011

When I use the command.

SRC="*" | geoip clientip_city

I get 3055 matching events, but nothing on the map.

I guess what I expect to happen is for the IP Addresses in each of these events to show up on the Map.

What am I doing wrong?

ziegfried · ‎05-27-2011

If the field "clientip_city" contains the IP addresses, you can try this search instead:

SRC=* clientip_city=* | geoip clientip_city

Update:
To extract the field, you have to either configure the fields to be extracted (see http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime) or extract them inline:

SRC=* | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | geoip ip

This will extract the first matching IP in the event.

ziegfried · ‎06-01-2011

sounds like the command is failing to execute. try the new version of the google maps app.

surban99 · ‎05-31-2011

should I be able to execute geoip.py from the command line? I cannot

surban99 · ‎05-31-2011

that didn't format right, It's a windows path to the geoip.py but the table is empty for those fields

surban99 · ‎05-31-2011

sorry, thought I lost you there,

I get IPs!!

there are numerous fields like "C:\Program Files\Splunk\etc\apps\maps\bin\geoip.py"

but they're all empty.

ziegfried · ‎05-31-2011

what's the result when you execute the following in the default search view:

SRC=* | table SRC | geoip SRC

surban99 · ‎05-31-2011

SRC=* | geoip SRC

it does not, thank you for your patience 🙂

ziegfried · ‎05-31-2011

ok, then the following search should work on Google Maps:

SRC=* | geoip SRC

surban99 · ‎05-31-2011

ABSOLUTELY! here's a single line from one of the log files.

Nov 6 23:09:52 ice kernel: NEW not SYN? IN=eth1 OUT= MAC=00:08:c7:21:b1:4a:00:07:0e:05:85:f2:08:00 SRC=8.8.8.8 DST=8.8.8.9 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=54197 PROTO=TCP SPT=80 DPT=2080 WINDOW=7245 RES=0x00 ACK FIN URGP=0

The IPs have been changed to protect the innocent

ziegfried · ‎05-31-2011

Btw. you can use the "add new comment" instead of posting everything in a new answer.

ziegfried · ‎05-31-2011

Seems like you don't have IP addresses in your events, do you?

surban99 · ‎05-31-2011

RC=* | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | table ip

108,710 results from July 1 through July 30, 2010

the table has over 1116 pages(I got tired of clicking)

every page I saw was empty.

ziegfried · ‎05-31-2011

What is displayed in the results table? Btw. you were missing the backslashes in your search - I've modified your answer. Try this search instead.

surban99 · ‎05-31-2011

SRC=* | rex "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | table ip

108,710 matching events

what specifically should I be looking for?

ziegfried · ‎05-31-2011

Please execute those searches in the DEFAULT search view of Splunk, not in the Google Maps view - and describe the results you're seeing.

surban99 · ‎05-31-2011

SRC=* | rex "(?d{1,3}.d{1,3}.d{1,3}.d{1,3})" | table ip

no events, 0 results with location information

| stats count | eval ip="8.8.8.8" | geoip ip

no events, 0 results with location information

ziegfried · ‎05-31-2011

"geoip 8.8.8.8" will not work. The first argument to the geoip command is always a field name, not a value. You can execute the following the test whether the geoip command is working: | stats count | eval ip="8.8.8.8" | geoip ip

ziegfried · ‎05-31-2011

Try to execute the following search in the default search view of splunk:
SRC=* | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | table ip
What kind of results are you getting?

surban99 · ‎05-31-2011

SRC=* | rex "(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | geoip ip

still does not work. "0 results with location information" is it possible the database is not working/up to date? is there a simple search I can do to test this

eg:

geoip 8.8.8.8

shouldn't that work?

ziegfried · ‎05-27-2011

I've updated the answer

help with a simple search on Google Maps

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life