- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Geoip - Limiting what is displayed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my search on a display:
index="stuff" severity="high" OR severity="medium" | top attacker limit=20 | geoip attacker
...the resulting panel shows attacker, count, percent, attacker_country_code, attacker_country_name, attacker_city, attacker_region_name, attacker_latitude, attacker_longitude
How do I limit the geoip (from within the search) to show only country code and region name? I don't see anywhere in the documentation as to how I would do that.
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I use geoip in a search it is as a lookup which would precede the stats command (or top, or whatever). This lookup is of the form
| lookup geoip clientip as ip
This makes several fields available to be explicitly referenced in the search. If you don't specify them they won't show up. So I'd guess that your geoip is some form of field that expands. Try replacing what you show above with the lookup and add the fields you want.
Alternatively, you could add
| fields attacker count percent attacker_country_code attacker_region_name
to the end of your search to limit the fields that are output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I use geoip in a search it is as a lookup which would precede the stats command (or top, or whatever). This lookup is of the form
| lookup geoip clientip as ip
This makes several fields available to be explicitly referenced in the search. If you don't specify them they won't show up. So I'd guess that your geoip is some form of field that expands. Try replacing what you show above with the lookup and add the fields you want.
Alternatively, you could add
| fields attacker count percent attacker_country_code attacker_region_name
to the end of your search to limit the fields that are output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANKS! It didn't even cross my mind that the command makes those fields referable. I had to go with the second option though since, in the geoip setup, we do not have lookup geoip enabled.
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
