Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use Geolocation of a private IP space?

ShaunBaker
Path Finder
‎02-08-2018 02:46 PM

I want to use the geostats feature but how do I do so on a private WAN and the syslog does not have Lat Long fields/raw data? I have an eval that assigns a city to an address space, is there a way to tack onto this eval/lookup a way to plug in Lat and Long? I don't mind having to manually input the Lat Long in the .csv, but I don't know how to make splunk read those fields in the lookup table and output the map with location.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nabeel652
Builder
‎02-08-2018 03:27 PM

Well you can setup a lookup table that has all the subnets and necessary info like:

IPv4Address                   SubnetMask                     City                               lat             lon         
203.25.11.0/24               255.255.255.0                    CityXYZ                       xxxx            yyyy

Now create a lookup definition, say resolveIP, based on that .csv and add

CIDR(IPv4Address) in the field "Match Type"

in your search for map chart

...your search | lookup resolveIP IPv4Address OUTPUT City lat lon | geostats maxzoomlevel=18 globallimit=0 count by City

Hope that will help

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nabeel652
Builder
‎02-08-2018 03:27 PM

Well you can setup a lookup table that has all the subnets and necessary info like:

IPv4Address                   SubnetMask                     City                               lat             lon         
203.25.11.0/24               255.255.255.0                    CityXYZ                       xxxx            yyyy

Now create a lookup definition, say resolveIP, based on that .csv and add

CIDR(IPv4Address) in the field "Match Type"

in your search for map chart

...your search | lookup resolveIP IPv4Address OUTPUT City lat lon | geostats maxzoomlevel=18 globallimit=0 count by City

Hope that will help

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎02-10-2018 08:40 PM

@nabeel652, as a search optimization you should perform stats first... then lookup and finally geostats. This way data enrichment happens for aggregated field rather than all events.

<BaseSearch> 
| stats count by IPv4Address 
| lookup resolveIP IPv4Address OUTPUT City lat lon 
| geostats maxzoomlevel=18 globallimit=0 sum(count) by City

Refer to documentation for this search optimization: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Geostats#Usage

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

nabeel652
Builder
‎02-10-2018 10:13 PM

@niketnilay
You’re right but that’s not what we’re focusing here. It may come under

...your search |

That I mentioned before the search. Anyway thanks for pointing out 🙂

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-10-2018 05:07 PM

Right, because the lookup command would function as the iplocation one..

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top