Splunk Search

Geolocation Issue: 1 datamodel, 2 queries, 2 different results

frog22
Explorer

The problem:  when running two different queries, within one data model that utilize a geo ip lookup and query the exact same IP address, they each produce a different result.

The Questions: why is this happening and how do I correct it?

The basic setup consists of a Heavy Forwarder, an Indexer, and a Search Head.  The geolocation database has been updated on the Search Head and Indexer.  Each server only has one geolocation database.

A test datamodel was created and geolocation fields were created within the datamodel.  The fields were created within the GUI (data models, add field, Geo IP).  I have conducted queries and these fields populate results (queries can be conducted on IPV4 & IPV6 addresses), so I know that the datamodel and the geoip fields work.

The queries and results:

 - Address: 2606:2e00:8003:1b::1f42

- Query #1: Australia is the result

     * | tstats count AS Unique_IPs FROM datamodel="test" BY test.test_City test.test_Country

- Query #2: United States is the result

     * | datamodel test search | where src_ip="2606:2e00:8003:1b::1f42" | table src_ip test_City test_Country

Labels (2)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

Yes, correct. I don't know if it would be suitable for your use case but the solution may be removing Country and City fields from that Data model.  Adding iplocation after the search.

If this reply helps you an upvote is appreciated.

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote is appreciated.

frog22
Explorer

@scelikok ,

 

Greatly appreciate the time and help!  It took me a little while, but I think I may understand your answer.  Datamodel acceleration...it builds "data summaries"....indexed data.....so, it takes a snapshot (based upon the constraints placed on the datamodel) of the ingested data and calculated fields.  If a lookup database for a calculated field changes after the data has been accelerated, then the indexed data in an accelerated datamodel would not change until the data is re-accelerated.  Is this correct?

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...