Splunk Search

GEOIP and Internal IP Lookup Problems

MHS
Explorer

I built a CSV file for my internal IP addresses with office coordinates. Here are the first two lines of that text file:

clientip,name,lat,lon

10.200.0.0/8,My Office,38.746971,-90.464752

I went into the GUI and went to Management, Lookups, Lookup Table Files, New and added the file as geoip_internal.csv (making sure the app context was set to Google Maps (maps)).

I then went to Lookup Definitions, New and created geoip_internal and created it using a type of "File-based" and a Lookup file of geoip_internal.csv (making sure the app context was set to Google Mapes(maps)).

How do I specify from the GUI that I want to a CIDR lookup on this?

Right now if I do a search in the Google Maps app using the search string "sourcetype="router" | lookup geoip_internal clientip as host" it says there are 984 matches. My sample data file is only 984 rows. Nothing maps and if I click on "Events" it shows nothing.

If I modify that search "sourcetype="router" | lookup geoip_internal clientip as host | geoip clientip" it says there are 6 matches. Which is right there are only 6 different hosts in the sample file. It still doesn't map anything and "Events" still shows nothing.

I believe the CIDR lookup is the issue but I could be wrong.

0 Karma

Damien_Dallimor
Ultra Champion

I don't see a way of specifying the CIDR matching via Splunk web.

But you can add a "match_type" property to your lookup stanza in transforms.conf.

Try something like this :

[geoip_internal]
filename = geoip_internal.csv
max_matches = 1
min_matches = 1
match_type = CIDR(clientip)

Damien_Dallimor
Ultra Champion

Did you restart Splunk ?

0 Karma

MHS
Explorer

I added this entry to the a transforms.conf I created in the /splunk/etc/system/local directory and stiff nothing is mapping. I may just blow this out and start over again since this is just a lab instance of Splunk. I know I'm missing something very simple here.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...