Knowledge Management

Trying to find Geo Location for IP addresses from a non-interesting field

dswoff
New Member

So I am trying to find the geo location for some IP addresses that keep crashing our webserver when they crawl it.  I am getting the information from the event logs. The IP addresses are coming in on a generic field called message that contains a lot of text, so I am pulling that using a rex command, but the iplocation command shows no country code. I have used the iplocation command to get geo information about IP addresses in the past several hours on another search, so I know that works in my system.  When I use the where | where ip_address='ip-address' command it shows no data. So I'm guessing that Splunk doesn't see the text in the created field of ip_address as actual IP addresses.  Anyone know how I can make it see this data as an IP address? Or is it that there might be a leading space or something like that that is causing the issue and if so how do I get rid of that noise?

index="eventlog" EventCode=1309
| rex field=Message "User host address:\s(?<ip_address>.*)"
| iplocation ip_address=Country
| table ip_address, Country

Labels (1)
Tags (2)
0 Karma

dswoff
New Member

Same results I get the IP address but no country in the Geo Location. I have noticed that I have a space at the end of the IP address using this REX command.  Ended up using the following command to remove the ending space and that resolved my problem.
| eval ip_address=trim(ip_address)

0 Karma

victor_menezes
Path Finder

Hey @dswoff ,

AFAIK there is a problem in your logic. The | iplocation command accepts a few arguments, but not like key:value pair as the IP.

I believe in your case you want to pass the IP and get the Country as result, then try this:

index="eventlog" EventCode=1309
| rex field=Message "User host address:\s(?<ip_address>.*)"
| iplocation ip_address
| table ip_address, Country

OR for fixed IP

index="eventlog" EventCode=1309
| iplocation "<your_ip_here>"
| table ip_address, Country

The iplocation accepts an IP and will give you as response the fields: City, Continent, Country, MetroCode, Region, Timezone, lat and lon.

Give it a try and let me know

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...