Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why isn't iplocation report providing the city, country under statistics?

tkerr1357
Path Finder
‎04-05-2022 09:14 AM

hello all,

I am trying to figure out why my iplocation report isnt providing the city,country under statistics. Below is my search that is providing the IP field in the table but the other two columns are blank. Any assistance would be great here. 

index=wineventlog EventCode=4624
| search src_ip="*" ComputerName="*" user="*"
| eval "Source IP" = coalesce(src_ip,"")
| eval clientip=src_ip
| iplocation allfields=false "Source IP"
| table "Source IP", city, country

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2022 10:11 AM

"city" and "country" fields are not the same as "City" and "Country".

With splunk field names are case-sensitive.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-05-2022 10:11 AM

"city" and "country" fields are not the same as "City" and "Country".

With splunk field names are case-sensitive.

0 Karma
Reply
Solved! Jump to solution

Stefanie
Builder
‎04-05-2022 10:10 AM

Are your IP addresses internal? The iplocation command utilizes information from 3rd party databases to tell it where the IPs are originating from.  Your internal IPs will not work with the IP location command.

 

Try this command. Its an example from Splunk's Documentation

| makeresults 
| eval myip="2001:4860:4860::8888" 
| iplocation myip

If it returns the Country as United Stats and the latitude/longitude then the iplocation command works in your environment.

 

https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Iplocation

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...