Solved: Re: Can't get iplocation to work in my search

hmrabet2 · ‎09-29-2017

I am not getting iplocation working in this query:

tag= web | stats count by IP, sessionId | stats dc(IP) as count, values(IP) as clientIP by sessionId | where count> 5 | iplocation clientIP

I can see the country, city, region fields appear but they are not populated

But when I run the following search I get IP location working with the country, region etc fields populated.

tag= web | iplocation IP | table IP, Country

hortonew · ‎09-29-2017

Add a | mvexpand clientIP after your stats command and it should work. I don't believe iplocation works on multivalue fields

hortonew · ‎09-29-2017

Add a | mvexpand clientIP after your stats command and it should work. I don't believe iplocation works on multivalue fields

hmrabet2 · ‎09-29-2017

Thanks that's done the trick

richgalloway · ‎09-29-2017

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

Can't get iplocation to work in my search