Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: combine search results with external data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sigi Puchbauer helped me with this once. This is how he suggested to solve the issue:
You create an additional internal lookup that you can use to lookup internal ips
... | lookup geoip clientip | lookup internal_geoip ip as clientip OUTPUTNEW _geo
The internal_geoip Lookup is a CSV File with the following format:
ip,_geo
"10.1.1.0/24","47.11,8.15"
"10.1.2.0/24","77.11,-8.15"
In $SPLUNK_HOME/etc/system/default/transforms.conf the lookup has to be configured to make a CIDR match:
[internal_geoip]
filename = internal_geoip.csv
match_type = CIDR(ip)
You can then create a macro that does both lookup for you to make the searches easier
... | `geoip(clientip)`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sigi Puchbauer helped me with this once. This is how he suggested to solve the issue:
You create an additional internal lookup that you can use to lookup internal ips
... | lookup geoip clientip | lookup internal_geoip ip as clientip OUTPUTNEW _geo
The internal_geoip Lookup is a CSV File with the following format:
ip,_geo
"10.1.1.0/24","47.11,8.15"
"10.1.2.0/24","77.11,-8.15"
In $SPLUNK_HOME/etc/system/default/transforms.conf the lookup has to be configured to make a CIDR match:
[internal_geoip]
filename = internal_geoip.csv
match_type = CIDR(ip)
You can then create a macro that does both lookup for you to make the searches easier
... | `geoip(clientip)`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
great, it's working. Thank you, chris.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'v just edited the answer. This file is a good place to start /opt/splunk/etc/system/local/transforms.conf. If you start developing your own apps it will be in /opt/splunk/etc/apps/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Chris for your answer.
I have few transforms.conf on server and I don't know which one to use:
/opt/splunk/etc/apps/MAXMIND/default/transforms.conf
/opt/splunk/etc/apps/maps/default/transforms.conf
/opt/splunk/etc/apps/SplunkforSquid/default/transforms.conf
/opt/splunk/etc/system/default/transforms.conf
I want to create a dashboard, which will display the number of IP addresses if the ip address match CIDR in a csv file.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
