Splunk Search

Using lookup file to update field value

guruwells
Explorer

Hi Everyone,
My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some info from my netwrok team, saying these ip's are coming from these countries like that. For that data, I have created lookup file (format of csv) which contains c_ip, State, Location and Country. Now using query I wanted to update Country value which is there in iis or displaying purpose.

index=default sourcetype=iis|iplocation c_ip| geostats count by Country

Here by default Country field is empty.

Created Lookup table

|inputlookup geo_sample_ip_countries.csv

here I will get

c_ip State Location Country
10.92.32.10 XXXXXXX XXXXX India

Now I wanted to display Country geomap based on client ip (c_ip).

I have tried using join query, it's not worked as expectations.

Please suggest me on this.

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country

View solution in original post

0 Karma

sundareshr
Legend

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country
0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...