Splunk Search
Highlighted

Using logs with IP addresses, how can I develop a search that defines remote login from a different geolocations within 1 hour?

Path Finder

I need to define Remote login from different locations within 1 hour, but my vpn log doesn't have information concerning the country, it just shows the IP. How can I do that?

0 Karma
Highlighted

Re: Using logs with IP addresses, how can I develop a search that defines remote login from a different geolocations within 1 hour?

Esteemed Legend

Just use the built-in iplocation command:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation

Like this:

Your Base Search Here (assuming field named "clientip") | iplocation clientip | stats count values(clientip) BY City Country
0 Karma
Highlighted

Re: Using logs with IP addresses, how can I develop a search that defines remote login from a different geolocations within 1 hour?

Path Finder

Thanks,for most of the field it turned back nothing in country, should I update the iplocation in splunk, I found
http://dev.maxmind.com/geoip/geoip2/geolite2/

0 Karma
Highlighted

Re: Using logs with IP addresses, how can I develop a search that defines remote login from a different geolocations within 1 hour?

Path Finder

Thanks, should I update the iplocation in splunk, I found
http://dev.maxmind.com/geoip/geoip2/geolite2/

0 Karma