Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add a clientip field to data sources for the iplocation command?

brian1_tate
Path Finder
‎09-19-2016 01:51 PM

I have a general question and I am more of a power user than admin level here (but I'm in the process of becoming one).

I went to use the iplocation command today from a data source (which we do not have - I suppose I need to define those too) but instead data that is simply tossed into indexes. When I examined firewall data, I noticed that there was no field clientip and therefore iplocation would not work. I know I can tag the src_ip field or something of that nature but what if I wanted to normalize this across any data index?

Furthermore, if I may make another inquiry - being there are no sourcetypes - just data in indexes, how would one go about defining those from the fields that are extracted?

Thank you all!

0 Karma
Reply

Jeremiah
Motivator
‎09-19-2016 03:46 PM

Any data in Splunk will have a host, source, and sourcetype field. So when you say you don't have sources or sourcetypes, you still must have some values in those fields? And maybe the issue is they are the same regardless of the actual source or type of data that isindexed?

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-19-2016 03:43 PM
  1. There are always sourcetypes, even if they're made up.
  2. The iplocation command accepts an argument for the field containing the IP information; it doesn't have to be called clientip.
  3. If you extract a field containing an IP address (by whatever name) you can still use iplocation against this field.

Let's say you have a field called firewall_src, just run:

< base search to find events > | iplocation firewall_src. Now you have additional enrichment on your events. You can then do something like geostats count to plot these on a map.

It's not likely to work against RFC1918 addresses, however.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...