Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add a clientip field to data sources for the iplocation command?

brian1_tate
Path Finder
‎09-19-2016 01:51 PM

I have a general question and I am more of a power user than admin level here (but I'm in the process of becoming one).

I went to use the iplocation command today from a data source (which we do not have - I suppose I need to define those too) but instead data that is simply tossed into indexes. When I examined firewall data, I noticed that there was no field clientip and therefore iplocation would not work. I know I can tag the src_ip field or something of that nature but what if I wanted to normalize this across any data index?

Furthermore, if I may make another inquiry - being there are no sourcetypes - just data in indexes, how would one go about defining those from the fields that are extracted?

Thank you all!

0 Karma
Reply

Jeremiah
Motivator
‎09-19-2016 03:46 PM

Any data in Splunk will have a host, source, and sourcetype field. So when you say you don't have sources or sourcetypes, you still must have some values in those fields? And maybe the issue is they are the same regardless of the actual source or type of data that isindexed?

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-19-2016 03:43 PM
  1. There are always sourcetypes, even if they're made up.
  2. The iplocation command accepts an argument for the field containing the IP information; it doesn't have to be called clientip.
  3. If you extract a field containing an IP address (by whatever name) you can still use iplocation against this field.

Let's say you have a field called firewall_src, just run:

< base search to find events > | iplocation firewall_src. Now you have additional enrichment on your events. You can then do something like geostats count to plot these on a map.

It's not likely to work against RFC1918 addresses, however.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...