Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using lookup file to update field value

guruwells
Explorer
‎09-06-2016 03:27 AM

Hi Everyone,
My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some info from my netwrok team, saying these ip's are coming from these countries like that. For that data, I have created lookup file (format of csv) which contains c_ip, State, Location and Country. Now using query I wanted to update Country value which is there in iis or displaying purpose.

index=default sourcetype=iis|iplocation c_ip| geostats count by Country

Here by default Country field is empty.

Created Lookup table

|inputlookup geo_sample_ip_countries.csv

here I will get

c_ip State Location Country
10.92.32.10 XXXXXXX XXXXX India

Now I wanted to display Country geomap based on client ip (c_ip).

I have tried using join query, it's not worked as expectations.

Please suggest me on this.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-06-2016 05:09 AM

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-06-2016 05:09 AM

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...