I need to define Remote login from different locations within 1 hour, but my vpn log doesn't have information concerning the country, it just shows the IP. How can I do that?
Just use the built-in iplocation
command:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation
Like this:
Your Base Search Here (assuming field named "clientip") | iplocation clientip | stats count values(clientip) BY City Country
Thanks, should I update the iplocation in splunk, I found
http://dev.maxmind.com/geoip/geoip2/geolite2/
Thanks,for most of the field it turned back nothing in country, should I update the iplocation in splunk, I found
http://dev.maxmind.com/geoip/geoip2/geolite2/