- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- IPLocation: how to use with both src-ip and dest-i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I know how to use the iplocation command to obtain geo ip information for a single field, for example:
sourcetype="IPS" | iplocation src_ip | table src_ip, City, Country
Is there a way to return geo ip information for 2 fields (in this case src-ip and dest-ip)? I tried this but it doesn't work:
sourcetype="IPS" | iplocation src_ip, dest_ip | table src_ip, City, Country, dest_ip, City, Country
How would I return geo ip info for both src-ip and dest-ip in a single search?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some testing I figured it out, the search below works:
sourcetype="IPS" | iplocation src_ip | rename Country as CC1 | iplocation dest_ip | rename Country as CC2 | table src_ip CC1 dest_ip CC2
CC1 is the geo for the src-ip and CC2 is the geo for the dest-ip.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also accomplish the same thing by doing this:
- sourcetype="IPS" | iplocation prefix=CC1_ src_ip | iplocation prefix=CC2_ dest_ip | table src_ip CC1_Country dest_ip CC2_Country
To access other data iplocation and that isn't part of the default values (ex: timezone) , you would add the allfields=true parameter to each iplocation command:
- sourcetype="IPS" | iplocation prefix=CC1_ allfields=true src_ip | iplocation prefix=CC2_ allfields=true dest_ip | table src_ip CC1_Country CC1_Timezone dest_ip CC2_Country CC2_Timezone
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Iplocation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some testing I figured it out, the search below works:
sourcetype="IPS" | iplocation src_ip | rename Country as CC1 | iplocation dest_ip | rename Country as CC2 | table src_ip CC1 dest_ip CC2
CC1 is the geo for the src-ip and CC2 is the geo for the dest-ip.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
