Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add a clientip field to data sources for the iplocation command?

brian1_tate
Path Finder
‎09-19-2016 01:51 PM

I have a general question and I am more of a power user than admin level here (but I'm in the process of becoming one).

I went to use the iplocation command today from a data source (which we do not have - I suppose I need to define those too) but instead data that is simply tossed into indexes. When I examined firewall data, I noticed that there was no field clientip and therefore iplocation would not work. I know I can tag the src_ip field or something of that nature but what if I wanted to normalize this across any data index?

Furthermore, if I may make another inquiry - being there are no sourcetypes - just data in indexes, how would one go about defining those from the fields that are extracted?

Thank you all!

0 Karma
Reply

Jeremiah
Motivator
‎09-19-2016 03:46 PM

Any data in Splunk will have a host, source, and sourcetype field. So when you say you don't have sources or sourcetypes, you still must have some values in those fields? And maybe the issue is they are the same regardless of the actual source or type of data that isindexed?

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-19-2016 03:43 PM
  1. There are always sourcetypes, even if they're made up.
  2. The iplocation command accepts an argument for the field containing the IP information; it doesn't have to be called clientip.
  3. If you extract a field containing an IP address (by whatever name) you can still use iplocation against this field.

Let's say you have a field called firewall_src, just run:

< base search to find events > | iplocation firewall_src. Now you have additional enrichment on your events. You can then do something like geostats count to plot these on a map.

It's not likely to work against RFC1918 addresses, however.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...