Dashboards & Visualizations

Why do i get a no value in Country while using iplocation

sangs8788
Communicator

Hi,

With the below query i am able to list the country and request count by response time split.

wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| eval Latency=case(wall_time<500, "0-0.5s", wall_time>=500 AND wall_time<1000, "0.5s-1s",wall_time>=1000 AND wall_time<3000, "1s-3s", wall_time>=3000 AND wall_time<6000, "3s-6s",THREAD_WALL_MS>=4000 AND wall_time<10000, "6s-10s",wall_time>=10000 AND wall_time<30000, "10s-30s", wall_time>=30000, ">=30s")| chart span=1w count  as RequestCount over Country by Latency | sort -RequestCount, -Latency  

But the query seems to be resulting 1 row with no value for the country field. Why is it so ? Anything i am missing out ?

alt text

Tags (1)
0 Karma

ManchitMalik
Explorer

Those IPs are not tagged with any location so they are coming blank. You can go through the description of iplocation command in below url: https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description . There they have mentioned - "Because all the information might not be available for each IP address, an event can have empty field values." . Thanks

0 Karma

inventsekar
Ultra Champion

Any ideas when the iplocations db was last updated?!?!

the procedure to update iplocations database...
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

niketn
Legend

@sangs8788 while you should definitely try updating iplocation as mentioned by @inventsekar, but you should still maintain a list of IPs without Geo Location details and either mark them with respective IP addresses or as Unknown when Country is not mapped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sangs8788
Communicator

@niketnilay I am trying to filter out few IPs by finding the location, but yea this sounds good for now. Thanks

0 Karma

sangs8788
Communicator

@inventsekar I am not sure on that. Have to check with Ops team since i dont have the permission. But we got upgraded our Splunk recently. So ideally shouldnt it be up-to-date ?

0 Karma

niketn
Legend

GeoLite2 DB gets updated frequently, I just looked at recent version which is from 2018/08/07. So if your recent upgrade happened prior to that you would need to upgrade your MaxMind DB.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sangs8788
Communicator

ok. Let me check on that. Thanks

0 Karma

sangs8788
Communicator

Is that even possible ? run time can do an eval for the country and set country name based on IP address which is not getting listed ? something like below |eval Country = case(CLIENT_IP like "203.*", "Singapore", CLIENT_IP like "103.*", "China", CLIENT_IP like "199.*", "Czech Republic")

0 Karma

inventsekar
Ultra Champion

when you run this command, do you still get empty country for one row?!?!
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| chart span=1w count as RequestCount over Country | sort -RequestCount

or simply,
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress|table client_ipaddress, status, City, Country
choose time as needed

0 Karma

sangs8788
Communicator

yes i do get.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sangs8788,

iplocation: extracts location information from IP addresses by using 3rd-party databases. This command supports IPv4 and IPv6.

The IP address that you specify in the ip-address-fieldname argument, is looked up in the database. Fields from that database that contain location information are added to each event. The setting used for the allfields argument determines which fields are added to the events.

Because all the information might not be available for each IP address, an event can have empty field values.

For IP addresses which do not have a location, such as internal addresses, no fields are added.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description

Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...