Splunk Search

Geolocation Issue: 1 datamodel, 2 queries, 2 different results

frog22
Explorer

The problem:  when running two different queries, within one data model that utilize a geo ip lookup and query the exact same IP address, they each produce a different result.

The Questions: why is this happening and how do I correct it?

The basic setup consists of a Heavy Forwarder, an Indexer, and a Search Head.  The geolocation database has been updated on the Search Head and Indexer.  Each server only has one geolocation database.

A test datamodel was created and geolocation fields were created within the datamodel.  The fields were created within the GUI (data models, add field, Geo IP).  I have conducted queries and these fields populate results (queries can be conducted on IPV4 & IPV6 addresses), so I know that the datamodel and the geoip fields work.

The queries and results:

 - Address: 2606:2e00:8003:1b::1f42

- Query #1: Australia is the result

     * | tstats count AS Unique_IPs FROM datamodel="test" BY test.test_City test.test_Country

- Query #2: United States is the result

     * | datamodel test search | where src_ip="2606:2e00:8003:1b::1f42" | table src_ip test_City test_Country

Labels (2)
Tags (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

Yes, correct. I don't know if it would be suitable for your use case but the solution may be removing Country and City fields from that Data model.  Adding iplocation after the search.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok
SplunkTrust
SplunkTrust

Hi @frog22,

I think that ip address was seen as Australia while test datamodel accelerated. And the country info changed to US. 

With this assumption;

tstats command uses accelerated data, that is why Country is Australia.

datamodel  command works like normal search, so it queries the Country info while search.

That is why they may give different results. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

frog22
Explorer

@scelikok ,

 

Greatly appreciate the time and help!  It took me a little while, but I think I may understand your answer.  Datamodel acceleration...it builds "data summaries"....indexed data.....so, it takes a snapshot (based upon the constraints placed on the datamodel) of the ingested data and calculated fields.  If a lookup database for a calculated field changes after the data has been accelerated, then the indexed data in an accelerated datamodel would not change until the data is re-accelerated.  Is this correct?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...