Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Issues with geo_countries lookup

lgsh
New Member
‎02-05-2025 04:53 AM

I'm using this built-in lookup to determine the Country for gps coordinates as follows:

 

| lookup geo_countries latitude, longitude output featureId as Country

 

The issue is that this lookup doesn't anything for some coordinates.

Some examples:

 

40.711157112847644,-74.01527355439009
40.8293703,-73.9709533
22.2866493,114.195508
-33.84808469677436,151.28320075054089
-38.0159081,-57.5320673

| makeresults
| eval latitude="40.711157112847644"
| eval longitude="-74.01527355439009"
| lookup geo_countries latitude, longitude output featureId as Country

 

Google Maps is capable to find an approx location for above coordinates.

Can anybody provide some guidance please.

Many Thanks.

 

 

 

 

Labels (2)
0 Karma
Reply

tej57
Builder
‎06-24-2025 06:45 AM

Hey @lgsh,

Was this solved? If not, following is the reason for the behavior you are facing.

geo_countries lookup does not have any field named latitude or longitude if you are using the built-in lookup. Following are the fields in the lookup table:

tej57_0-1750772618173.png

 

You'll need to extract the latitude and longitude fields from the geom field and use mvexpand to list record for all the coordinates for the same country as a separate event. You'll then be able to match the latitude and longitude fields from the events with those of the lookup and populate the Country.

Hope this helps with your use case.

Thanks,
Tejas.

 

---
If the solution helps, an upvote is appreciated..!!

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...