Splunk Search

Geolocation Issue: 1 datamodel, 2 queries, 2 different results

frog22
Explorer

The problem:  when running two different queries, within one data model that utilize a geo ip lookup and query the exact same IP address, they each produce a different result.

The Questions: why is this happening and how do I correct it?

The basic setup consists of a Heavy Forwarder, an Indexer, and a Search Head.  The geolocation database has been updated on the Search Head and Indexer.  Each server only has one geolocation database.

A test datamodel was created and geolocation fields were created within the datamodel.  The fields were created within the GUI (data models, add field, Geo IP).  I have conducted queries and these fields populate results (queries can be conducted on IPV4 & IPV6 addresses), so I know that the datamodel and the geoip fields work.

The queries and results:

 - Address: 2606:2e00:8003:1b::1f42

- Query #1: Australia is the result

     * | tstats count AS Unique_IPs FROM datamodel="test" BY test.test_City test.test_Country

- Query #2: United States is the result

     * | datamodel test search | where src_ip="2606:2e00:8003:1b::1f42" | table src_ip test_City test_Country

Labels (2)
Tags (2)
0 Karma
1 Solution

scelikok
Champion

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

Hi @frog22,

Yes, correct. I don't know if it would be suitable for your use case but the solution may be removing Country and City fields from that Data model.  Adding iplocation after the search.

If this reply helps you an upvote is appreciated.

scelikok
Champion

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote is appreciated.

View solution in original post

frog22
Explorer

@scelikok ,

 

Greatly appreciate the time and help!  It took me a little while, but I think I may understand your answer.  Datamodel acceleration...it builds "data summaries"....indexed data.....so, it takes a snapshot (based upon the constraints placed on the datamodel) of the ingested data and calculated fields.  If a lookup database for a calculated field changes after the data has been accelerated, then the indexed data in an accelerated datamodel would not change until the data is re-accelerated.  Is this correct?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!