Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

GEOIP and Internal IP Lookup Problems

MHS
Explorer
‎03-29-2012 09:01 AM

I built a CSV file for my internal IP addresses with office coordinates. Here are the first two lines of that text file:

clientip,name,lat,lon

10.200.0.0/8,My Office,38.746971,-90.464752

I went into the GUI and went to Management, Lookups, Lookup Table Files, New and added the file as geoip_internal.csv (making sure the app context was set to Google Maps (maps)).

I then went to Lookup Definitions, New and created geoip_internal and created it using a type of "File-based" and a Lookup file of geoip_internal.csv (making sure the app context was set to Google Mapes(maps)).

How do I specify from the GUI that I want to a CIDR lookup on this?

Right now if I do a search in the Google Maps app using the search string "sourcetype="router" | lookup geoip_internal clientip as host" it says there are 984 matches. My sample data file is only 984 rows. Nothing maps and if I click on "Events" it shows nothing.

If I modify that search "sourcetype="router" | lookup geoip_internal clientip as host | geoip clientip" it says there are 6 matches. Which is right there are only 6 different hosts in the sample file. It still doesn't map anything and "Events" still shows nothing.

I believe the CIDR lookup is the issue but I could be wrong.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎03-29-2012 03:34 PM

I don't see a way of specifying the CIDR matching via Splunk web.

But you can add a "match_type" property to your lookup stanza in transforms.conf.

Try something like this :

[geoip_internal]
filename = geoip_internal.csv
max_matches = 1
min_matches = 1
match_type = CIDR(clientip)
Reply

Damien_Dallimor
Ultra Champion
‎03-30-2012 04:41 PM

Did you restart Splunk ?

0 Karma
Reply

MHS
Explorer
‎03-30-2012 06:26 AM

I added this entry to the a transforms.conf I created in the /splunk/etc/system/local directory and stiff nothing is mapping. I may just blow this out and start over again since this is just a lab instance of Splunk. I know I'm missing something very simple here.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...