Hello Splunk users,
It is not a long time since I started using Splunk. I have Google Maps API installed and I am trying to locate the location of IPs in my logs.
As an example of the queries I apply I give you the following 2:
1) sourcetype=LogEvents | geoip clientip=12.34.56.78
Above query returns me thousands of logs. However, with the specific IP there is only 1 (one) log in reality. Last, even though it returns me so much logs, in the map there are only about 20 dots with location.
2) sourcetype=LogEvents remote access failed | geoip clientip=12.34.56.78
Above query works fine in terms that it returns me the correct number of failed logs. The thing is however, that again not all returned logs belong to that IP address. Are only the "failed" logs as defined by the query.
Any, any thoughts, are greatly appreciated!
Best regards,
Evangelos
If you want to filter by clientip then you can do that before the first pipe.
As for upgrading to 6, that's easy as can be. Just do an upgrade install, no need to uninstall first. Always keep an up-to-date backup of course 🙂
If you want to filter by clientip then you can do that before the first pipe.
As for upgrading to 6, that's easy as can be. Just do an upgrade install, no need to uninstall first. Always keep an up-to-date backup of course 🙂
Precision varies, resolving IP to location is not an exact science.
Okay, that seems to be working as for now, part of it at least.
What I did is this: sourcetype=LogEvents remote access failed 12.34.56.78 | geoip
It now returns the correct number of logs, but not in the exact location, only country. Is this how it works?
I am considering the upgraide, but I am defering for now because I am newbie.
Hi Martin,
Thanks commenting this out. What I am trying to do is to find the location from where a specific IP created a log.
I currently have installed v5.0.2. I think it would be quite difficult to unistall and install from the scratch at 6 version.
Regards,
Evangelos
What are you trying to achieve by specifying a concrete IP when calling geoip?
Also, you should take a look at Splunk 6 - that comes with a built-in iplocation command.