Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why iplocation search returns fields, but no expected results related to iplocation?

xyzzylatest
Engager
‎10-27-2014 12:33 PM

I'm attempting to use iplocation with searches, but it is not returning any additional fields. I am trying to search like so: "220.135.91.199" | iplocation src_ip

It returns records, but none of the fields related to iplocation. The splunk host can access the internet, and I have confirmed it can access the hostip.info site.

Any help or hints/tips would be appreciated!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Jeff_Lightly_Sp
Communicator
‎10-27-2014 12:44 PM

I can do this search:

index=firewall | iplocation src_ip and it returns values such as City & Country.

Be sure you are matching up the src_ip argument on iplocation with a valid field on your first search.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jeff_Lightly_Sp
Communicator
‎10-27-2014 12:44 PM

I can do this search:

index=firewall | iplocation src_ip and it returns values such as City & Country.

Be sure you are matching up the src_ip argument on iplocation with a valid field on your first search.

Reply
Solved! Jump to solution

xyzzylatest
Engager
‎10-28-2014 03:24 PM

Installed latest update to splunk and iplocation started working. Thanks for helping Jeff!

0 Karma
Reply
Solved! Jump to solution

Jeff_Lightly_Sp
Communicator
‎10-27-2014 02:09 PM

I do see some iplocation search references in SPLUNKD.LOG. Perhaps there are errors there? I do know that iplocation is now built in to Splunk (used to be a Python script) so that would make sense that it is there.

0 Karma
Reply
Solved! Jump to solution

xyzzylatest
Engager
‎10-27-2014 02:14 PM

Thanks for the tip! I searched splunkd.log and wasn't able to location any iplocation references. the only references I found were in the splunkd_access.log and web_access.log files. They are not error messages, but have iplocation in the URL that was called (probably from me attempting to use iplocation in searchs).

0 Karma
Reply
Solved! Jump to solution

xyzzylatest
Engager
‎10-27-2014 12:51 PM

I added src_ip, which is a valid field for the search I'm doing, but still no joy on City or Country fields. Is there a log I can check to see if there are errors that are not being presented in the UI?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...