Splunk Search

Geolocation Issue: 1 datamodel, 2 queries, 2 different results

frog22
Explorer

The problem:  when running two different queries, within one data model that utilize a geo ip lookup and query the exact same IP address, they each produce a different result.

The Questions: why is this happening and how do I correct it?

The basic setup consists of a Heavy Forwarder, an Indexer, and a Search Head.  The geolocation database has been updated on the Search Head and Indexer.  Each server only has one geolocation database.

A test datamodel was created and geolocation fields were created within the datamodel.  The fields were created within the GUI (data models, add field, Geo IP).  I have conducted queries and these fields populate results (queries can be conducted on IPV4 & IPV6 addresses), so I know that the datamodel and the geoip fields work.

The queries and results:

 - Address: 2606:2e00:8003:1b::1f42

- Query #1: Australia is the result

     * | tstats count AS Unique_IPs FROM datamodel="test" BY test.test_City test.test_Country

- Query #2: United States is the result

     * | datamodel test search | where src_ip="2606:2e00:8003:1b::1f42" | table src_ip test_City test_Country

Labels (2)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

Yes, correct. I don't know if it would be suitable for your use case but the solution may be removing Country and City fields from that Data model.  Adding iplocation after the search.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

frog22
Explorer

@scelikok ,

 

Greatly appreciate the time and help!  It took me a little while, but I think I may understand your answer.  Datamodel acceleration...it builds "data summaries"....indexed data.....so, it takes a snapshot (based upon the constraints placed on the datamodel) of the ingested data and calculated fields.  If a lookup database for a calculated field changes after the data has been accelerated, then the indexed data in an accelerated datamodel would not change until the data is re-accelerated.  Is this correct?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...