Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me find the location of a session?

jl23
New Member
‎01-18-2019 06:41 AM

I’m examining server logs where, for each session, there are several events. I’m trying to discover the country from which a session originated.

However, some of the events for a session have an IP defined and some don’t in sip field. Meaning that my current search is outputting two locations for the one session (the actual location and null) if the location is known.

index=i_s sourcetype=sess | iplocation sip | chart dc(session) by Country

And adding “dedup session “ to the query returns Unknown for sessions which should have a location.

Any help is appreciated!

0 Karma
Reply

bryhenderson
Explorer
‎01-18-2019 10:09 AM

I don't have the data on hand to examine your search, but you could try adding

| search Country=*

before your chart command, if you only care about sessions with a Country value.

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...