Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do i get a no value in Country while using iplocation

sangs8788
Communicator
‎08-21-2018 11:04 PM

Hi,

With the below query i am able to list the country and request count by response time split.

wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| eval Latency=case(wall_time<500, "0-0.5s", wall_time>=500 AND wall_time<1000, "0.5s-1s",wall_time>=1000 AND wall_time<3000, "1s-3s", wall_time>=3000 AND wall_time<6000, "3s-6s",THREAD_WALL_MS>=4000 AND wall_time<10000, "6s-10s",wall_time>=10000 AND wall_time<30000, "10s-30s", wall_time>=30000, ">=30s")| chart span=1w count  as RequestCount over Country by Latency | sort -RequestCount, -Latency

But the query seems to be resulting 1 row with no value for the country field. Why is it so ? Anything i am missing out ?

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

ManchitMalik
Explorer
‎08-22-2018 01:37 AM

Those IPs are not tagged with any location so they are coming blank. You can go through the description of iplocation command in below url: https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description . There they have mentioned - "Because all the information might not be available for each IP address, an event can have empty field values." . Thanks

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-21-2018 11:20 PM

Any ideas when the iplocations db was last updated?!?!

the procedure to update iplocations database...
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

Reply

niketn
Legend
‎08-21-2018 11:30 PM

@sangs8788 while you should definitely try updating iplocation as mentioned by @inventsekar, but you should still maintain a list of IPs without Geo Location details and either mark them with respective IP addresses or as Unknown when Country is not mapped.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

sangs8788
Communicator
‎08-21-2018 11:36 PM

@niketnilay I am trying to filter out few IPs by finding the location, but yea this sounds good for now. Thanks

0 Karma
Reply

sangs8788
Communicator
‎08-21-2018 11:35 PM

@inventsekar I am not sure on that. Have to check with Ops team since i dont have the permission. But we got upgraded our Splunk recently. So ideally shouldnt it be up-to-date ?

0 Karma
Reply

niketn
Legend
‎08-21-2018 11:46 PM

GeoLite2 DB gets updated frequently, I just looked at recent version which is from 2018/08/07. So if your recent upgrade happened prior to that you would need to upgrade your MaxMind DB.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

sangs8788
Communicator
‎08-22-2018 01:17 AM

ok. Let me check on that. Thanks

0 Karma
Reply

sangs8788
Communicator
‎08-21-2018 11:38 PM

Is that even possible ? run time can do an eval for the country and set country name based on IP address which is not getting listed ? something like below |eval Country = case(CLIENT_IP like "203.*", "Singapore", CLIENT_IP like "103.*", "China", CLIENT_IP like "199.*", "Czech Republic")

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-21-2018 11:19 PM

when you run this command, do you still get empty country for one row?!?!
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress| chart span=1w count as RequestCount over Country | sort -RequestCount

or simply,
wall_time != NULL client_ipaddress != NULL |iplocation client_ipaddress|table client_ipaddress, status, City, Country
choose time as needed

0 Karma
Reply

sangs8788
Communicator
‎08-21-2018 11:33 PM

yes i do get.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-21-2018 11:18 PM

@sangs8788,

iplocation: extracts location information from IP addresses by using 3rd-party databases. This command supports IPv4 and IPv6.

The IP address that you specify in the ip-address-fieldname argument, is looked up in the database. Fields from that database that contain location information are added to each event. The setting used for the allfields argument determines which fields are added to the events.

Because all the information might not be available for each IP address, an event can have empty field values.

For IP addresses which do not have a location, such as internal addresses, no fields are added.

https://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Iplocation#Description

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...