Splunk Enterprise

Rare iplocation fields handling when applying to data model

phil_wong
Explorer

I added iplocation lookup into my CIM data model. 
I found there's a rare handling when I validate the result by running | from datamodel:  SPL

The result SPL is like following an intermediate search filter was applied.

search src_lon=* src_lat=* src_City=* src_Region=* src_Country=* dest_lon=* dest_lat=* dest_City=* dest_Region=* dest_Country=* 


I have no idea why this is added. My data without location mapped will be dropped.
In order to reduce the impact of this, seems I need to add EVAL to check if lon,lat,City,Country was not produced after running iplocation lookup.

e.g.  | from datamodel expanded SPL

(index=* OR index=_*) (((index=MY_INDEX)) tag=ids tag=attack) DIRECTIVES(READ_SUMMARY(datamodel="Intrusion_Detection.IDS_Attacks" summariesonly="false" allow_old_summaries="true")) | eval dvc=if(isnull(dvc) OR dvc="","unknown",dvc), ids_type=if(isnull(ids_type) OR ids_type="","unknown",ids_type), category=if(isnull(category) OR category="","unknown",category), signature=if(isnull(signature) OR signature="","unknown",signature), severity=if(isnull(severity) OR severity="","unknown",severity), src=if(isnull(src) OR src="" OR src="N/A","unknown",src), dest=if(isnull(dest) OR dest="" OR dest="N/A","unknown",dest), user=if(isnull(user) OR user="","unknown",user), vendor_product=case(isnotnull(vendor_product),vendor_product,isnotnull(vendor) AND vendor!="unknown" AND isnotnull(product) AND product!="unknown",vendor." ".product,isnotnull(vendor) AND vendor!="unknown" AND (isnull(product) OR product="unknown"),vendor." unknown",(isnull(vendor) OR vendor="unknown") AND isnotnull(product) AND product!="unknown","unknown ".product,isnotnull(sourcetype),sourcetype,1=1,"unknown") | iplocation src prefix="src_" | iplocation dest prefix="dest_" | eval src_Country=if(isnull(src_Country) OR src_Country ="","unknown", src_Country), dest_Country=if(isnull(dest_Country) OR dest_Country ="","unknown", dest_Country) | search src_lon=* src_lat=* src_City=* src_Region=* src_Country=* dest_lon=* dest_lat=* dest_City=* dest_Region=* dest_Country=* sourcetype="MY_SOURCETYPE" | eval is_Application_IDS_Attacks=if(searchmatch("(ids_type=\"application\")"),1,0), is_not_Application_IDS_Attacks=1-is_Application_IDS_Attacks, is_Host_IDS_Attacks=if(searchmatch("(ids_type=\"host\")"),1,0), is_not_Host_IDS_Attacks=1-is_Host_IDS_Attacks, is_Network_IDS_Attacks=if(searchmatch("(ids_type=\"network\")"),1,0), is_not_Network_IDS_Attacks=1-is_Network_IDS_Attacks | fields "_time" "host" "source" "sourcetype" "action" "dest_bunit" "dest_category" "dest_port" "dest_priority" "dvc_bunit" "dvc_category" "dvc_priority" "file_hash" "file_name" "file_path" "src_bunit" "src_category" "src_priority" "transport" "tag" "user_bunit" "user_category" "user_priority" "soc_site" "vendor_action" "CVE" "dvc" "ids_type" "category" "signature" "severity" "src" "dest" "user" "vendor_product" "src_Country" "dest_Country" "is_Application_IDS_Attacks" "is_not_Application_IDS_Attacks" "is_Host_IDS_Attacks" "is_not_Host_IDS_Attacks" "is_Network_IDS_Attacks" "is_not_Network_IDS_Attacks" 


 

Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...