Hi,
Sigi Puchbauer helped me with this once. This is how he suggested to solve the issue:
You create an additional internal lookup that you can use to lookup internal ips
... | lookup geoip clientip | lookup internal_geoip ip as clientip OUTPUTNEW _geo
The internal_geoip Lookup is a CSV File with the following format:
ip,_geo
"10.1.1.0/24","47.11,8.15"
"10.1.2.0/24","77.11,-8.15"
In $SPLUNK_HOME/etc/system/default/transforms.conf the lookup has to be configured to make a CIDR match:
[internal_geoip]
filename = internal_geoip.csv
match_type = CIDR(ip)
You can then create a macro that does both lookup for you to make the searches easier
... | `geoip(clientip)`
Hi,
Sigi Puchbauer helped me with this once. This is how he suggested to solve the issue:
You create an additional internal lookup that you can use to lookup internal ips
... | lookup geoip clientip | lookup internal_geoip ip as clientip OUTPUTNEW _geo
The internal_geoip Lookup is a CSV File with the following format:
ip,_geo
"10.1.1.0/24","47.11,8.15"
"10.1.2.0/24","77.11,-8.15"
In $SPLUNK_HOME/etc/system/default/transforms.conf the lookup has to be configured to make a CIDR match:
[internal_geoip]
filename = internal_geoip.csv
match_type = CIDR(ip)
You can then create a macro that does both lookup for you to make the searches easier
... | `geoip(clientip)`
great, it's working. Thank you, chris.
I'v just edited the answer. This file is a good place to start /opt/splunk/etc/system/local/transforms.conf. If you start developing your own apps it will be in /opt/splunk/etc/apps/
Thank you Chris for your answer.
I have few transforms.conf on server and I don't know which one to use:
/opt/splunk/etc/apps/MAXMIND/default/transforms.conf
/opt/splunk/etc/apps/maps/default/transforms.conf
/opt/splunk/etc/apps/SplunkforSquid/default/transforms.conf
/opt/splunk/etc/system/default/transforms.conf
I want to create a dashboard, which will display the number of IP addresses if the ip address match CIDR in a csv file.