Splunk Search

IPLOCATION displaying wrong Country

nathanluke86
Communicator

Hello,

I am having an issue with IPLOCATION displaying the wrong Country using the following query.

 

index="office365" sourcetype = o365* Workload=AzureActiveDirectory Operation=UserLoggedin ActorIpAddress=152.37.xxx.xxx | iplocation ActorIpAddress |table Country

Which shows the country is "United States"

Checked the web on different IP locators and all show the IP as UK which is the correct location.

 

If I run this query:

| makeresults
| eval ip="152.37.xxx.xxx"
| iplocation ip
| table Country, ip

The country display as the UK.

 

Anyone know what is causing this issue. I have updated the mmdb file to the latest release.

 

TIA

 

 

 

Labels (2)
0 Karma

solarboyz1
Builder

 From what you are showing... both searches should be doing the exact some thing...which is looking up 152.37.xxx.xxx in the local geocities database. 

If they are looking up the exact same values, and returning different countries...that sounds like a bug.  

I mean, you could try something like:

index=o365 sourcetype = o365* Workload=AzureActiveDirectory Operation=UserLoggedin ActorIpAddress=152.*
| iplocation prefix=IpLoc1_ ActorIpAddress
| eval ip=ActorIpAddress
| iplocation prefix=IpLoc2_ ip
| table ActorIpAddress IpLoc1_Country ip IpLoc2_Country

Which is effectively running both the searches you had above and comparing them. 

Is there any chance there is a Country field in the Data already that's could be causing issues?
I have o365 data and don't see any, but that could cause an issue. 


0 Karma

solarboyz1
Builder

The iplocation data returned from the GeoLite2-City.mmdb database file in  $SPLUNK_HOME/share/

You can update that file, or if you get a geoip subscription, you replace that file with one of the available data base files with more accuracy.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Iplocation
https://dev.maxmind.com/geoip/updating-databases?lang=en

 

 

0 Karma

nathanluke86
Communicator

@solarboyz1 

 

Thanks for the response,

I have updated the GeoLite2-City.mmdb file in $SPLUNK_HOME/share/. This has not made any difference.

 

I feel its something to do with the query as when I use the following query the country displays as GB which is correct.

| makeresults
| eval ip="152.37.xx.xxx"
| iplocation ip
| table Country, ip

 

Thanks,

 

0 Karma

solarboyz1
Builder

Depending on the subnet 152.37.xxx.xxx could be either US or UK 

The following returns US:

| eval ip="152.37.11.2"

 

The following returns UK:

| eval ip="152.37.111.2"


Do you have specific entries you are referring to? 

0 Karma

nathanluke86
Communicator

@solarboyz1 

The IP is a UK IP address.

As explained above, both queries are for the same unique IP but the Office365 query shows the IP as being in the US and the makeresults query shows the IP  as in UK (which is correct and the desired outcome)

 

We have an Office 365 dashboard map that shows successful logins by country but some of the results are wrong and we can't work out why.

 

I thing the mmdb file is correct as we are getting the desired outcome when using makeresults query

 

Thanks,

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...