Splunk Search

Using lookup file to update field value

guruwells
Explorer

Hi Everyone,
My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some info from my netwrok team, saying these ip's are coming from these countries like that. For that data, I have created lookup file (format of csv) which contains c_ip, State, Location and Country. Now using query I wanted to update Country value which is there in iis or displaying purpose.

index=default sourcetype=iis|iplocation c_ip| geostats count by Country

Here by default Country field is empty.

Created Lookup table

|inputlookup geo_sample_ip_countries.csv

here I will get

c_ip State Location Country
10.92.32.10 XXXXXXX XXXXX India

Now I wanted to display Country geomap based on client ip (c_ip).

I have tried using join query, it's not worked as expectations.

Please suggest me on this.

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country

View solution in original post

0 Karma

sundareshr
Legend

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...