Dashboards & Visualizations

Why do i get a no value in Country while using iplocation

sangs8788
Communicator

Hi,

With the below query i am able to list the country and request count by response time split.

wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| eval Latency=case(wall_time<500, "0-0.5s", wall_time>=500 AND wall_time<1000, "0.5s-1s",wall_time>=1000 AND wall_time<3000, "1s-3s", wall_time>=3000 AND wall_time<6000, "3s-6s",THREAD_WALL_MS>=4000 AND wall_time<10000, "6s-10s",wall_time>=10000 AND wall_time<30000, "10s-30s", wall_time>=30000, ">=30s")| chart span=1w count  as RequestCount over Country by Latency | sort -RequestCount, -Latency  

But the query seems to be resulting 1 row with no value for the country field. Why is it so ? Anything i am missing out ?

alt text

Tags (1)
0 Karma

ManchitMalik
Explorer

Those IPs are not tagged with any location so they are coming blank. You can go through the description of iplocation command in below url: https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description . There they have mentioned - "Because all the information might not be available for each IP address, an event can have empty field values." . Thanks

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Any ideas when the iplocations db was last updated?!?!

the procedure to update iplocations database...
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

niketn
Legend

@sangs8788 while you should definitely try updating iplocation as mentioned by @inventsekar, but you should still maintain a list of IPs without Geo Location details and either mark them with respective IP addresses or as Unknown when Country is not mapped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

sangs8788
Communicator

@niketnilay I am trying to filter out few IPs by finding the location, but yea this sounds good for now. Thanks

0 Karma

sangs8788
Communicator

@inventsekar I am not sure on that. Have to check with Ops team since i dont have the permission. But we got upgraded our Splunk recently. So ideally shouldnt it be up-to-date ?

0 Karma

niketn
Legend

GeoLite2 DB gets updated frequently, I just looked at recent version which is from 2018/08/07. So if your recent upgrade happened prior to that you would need to upgrade your MaxMind DB.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

sangs8788
Communicator

ok. Let me check on that. Thanks

0 Karma

sangs8788
Communicator

Is that even possible ? run time can do an eval for the country and set country name based on IP address which is not getting listed ? something like below |eval Country = case(CLIENT_IP like "203.*", "Singapore", CLIENT_IP like "103.*", "China", CLIENT_IP like "199.*", "Czech Republic")

0 Karma

inventsekar
SplunkTrust
SplunkTrust

when you run this command, do you still get empty country for one row?!?!
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| chart span=1w count as RequestCount over Country | sort -RequestCount

or simply,
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress|table client_ipaddress, status, City, Country
choose time as needed

0 Karma

sangs8788
Communicator

yes i do get.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sangs8788,

iplocation: extracts location information from IP addresses by using 3rd-party databases. This command supports IPv4 and IPv6.

The IP address that you specify in the ip-address-fieldname argument, is looked up in the database. Fields from that database that contain location information are added to each event. The setting used for the allfields argument determines which fields are added to the events.

Because all the information might not be available for each IP address, an event can have empty field values.

For IP addresses which do not have a location, such as internal addresses, no fields are added.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...