Splunk Search

Google maps finds a specific IP in multiple areas

evang_26
Communicator

Hello Splunk users,

It is not a long time since I started using Splunk. I have Google Maps API installed and I am trying to locate the location of IPs in my logs.
As an example of the queries I apply I give you the following 2:

1) sourcetype=LogEvents | geoip clientip=12.34.56.78
Above query returns me thousands of logs. However, with the specific IP there is only 1 (one) log in reality. Last, even though it returns me so much logs, in the map there are only about 20 dots with location.

2) sourcetype=LogEvents remote access failed | geoip clientip=12.34.56.78
Above query works fine in terms that it returns me the correct number of failed logs. The thing is however, that again not all returned logs belong to that IP address. Are only the "failed" logs as defined by the query.

Any, any thoughts, are greatly appreciated!
Best regards,
Evangelos

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

If you want to filter by clientip then you can do that before the first pipe.

As for upgrading to 6, that's easy as can be. Just do an upgrade install, no need to uninstall first. Always keep an up-to-date backup of course 🙂

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

If you want to filter by clientip then you can do that before the first pipe.

As for upgrading to 6, that's easy as can be. Just do an upgrade install, no need to uninstall first. Always keep an up-to-date backup of course 🙂

martin_mueller
SplunkTrust
SplunkTrust

Precision varies, resolving IP to location is not an exact science.

evang_26
Communicator

Okay, that seems to be working as for now, part of it at least.
What I did is this: sourcetype=LogEvents remote access failed 12.34.56.78 | geoip

It now returns the correct number of logs, but not in the exact location, only country. Is this how it works?

I am considering the upgraide, but I am defering for now because I am newbie.

0 Karma

evang_26
Communicator

Hi Martin,

Thanks commenting this out. What I am trying to do is to find the location from where a specific IP created a log.

I currently have installed v5.0.2. I think it would be quite difficult to unistall and install from the scratch at 6 version.

Regards,
Evangelos

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What are you trying to achieve by specifying a concrete IP when calling geoip?

Also, you should take a look at Splunk 6 - that comes with a built-in iplocation command.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...