Re: append new column based on presearch results

hjwang · ‎04-13-2011

Hi there,i i would like to append new colunms to presearch results,for example,the search

host="x.x.x.x" eventtype="yyy" | stats count(SRC_IP) by SRC_IP | sort - count(SRC_IP) | head 10

The results will be top 10 SRC_IP and its "counts". Now if i wanna know each row's SRC_IP from which country, how can i do further search? (use subsearch?)? In general to say, how to append new column based on presearch? thanks

dwaddle · ‎04-13-2011

For this particular problem, I think there is an app in Splunkbase that will help with it. There is a MAXMIND GeoIP app at http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Geo+Location+Lookup+Script

host="x.x.x.x" eventtype="yyy" 
| stats count(SRC_IP) by SRC_IP 
| sort - count(SRC_IP) 
| head 10
| lookup geoip SRC_IP as iplocation

hjwang · ‎04-14-2011

i found the correcy sytax will be 【lookup geoip clientip as SRC_IP OUTPUT client_country as country】, thanks

hjwang · ‎04-14-2011

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table. The lookup table fields_list=clientip client_country client_region client_city client_lat client_lon. but it still not work when replacing SRC_IP with clientip

append new column based on presearch results

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes