Splunk Search

How can I use Geolocation of a private IP space?

ShaunBaker
Path Finder

I want to use the geostats feature but how do I do so on a private WAN and the syslog does not have Lat Long fields/raw data? I have an eval that assigns a city to an address space, is there a way to tack onto this eval/lookup a way to plug in Lat and Long? I don't mind having to manually input the Lat Long in the .csv, but I don't know how to make splunk read those fields in the lookup table and output the map with location.

0 Karma
1 Solution

nabeel652
Builder

Well you can setup a lookup table that has all the subnets and necessary info like:

IPv4Address                   SubnetMask                     City                               lat             lon         
203.25.11.0/24               255.255.255.0                    CityXYZ                       xxxx            yyyy

Now create a lookup definition, say resolveIP, based on that .csv and add

CIDR(IPv4Address) in the field "Match Type"

in your search for map chart

...your search | lookup resolveIP IPv4Address OUTPUT City lat lon | geostats maxzoomlevel=18 globallimit=0 count by City

Hope that will help

View solution in original post

0 Karma

nabeel652
Builder

Well you can setup a lookup table that has all the subnets and necessary info like:

IPv4Address                   SubnetMask                     City                               lat             lon         
203.25.11.0/24               255.255.255.0                    CityXYZ                       xxxx            yyyy

Now create a lookup definition, say resolveIP, based on that .csv and add

CIDR(IPv4Address) in the field "Match Type"

in your search for map chart

...your search | lookup resolveIP IPv4Address OUTPUT City lat lon | geostats maxzoomlevel=18 globallimit=0 count by City

Hope that will help

View solution in original post

0 Karma

niketnilay
Legend

@nabeel652, as a search optimization you should perform stats first... then lookup and finally geostats. This way data enrichment happens for aggregated field rather than all events.

<BaseSearch> 
| stats count by IPv4Address 
| lookup resolveIP IPv4Address OUTPUT City lat lon 
| geostats maxzoomlevel=18 globallimit=0 sum(count) by City

Refer to documentation for this search optimization: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Geostats#Usage

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nabeel652
Builder

@niketnilay
You’re right but that’s not what we’re focusing here. It may come under

...your search |

That I mentioned before the search. Anyway thanks for pointing out 🙂

0 Karma

ddrillic
Ultra Champion

Right, because the lookup command would function as the iplocation one..

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.