As in subject, I run the following command:
MY_SEARCH | iplocation allfields=true clientip | table lat lon
And the table is empty.
I have verified that clientip does contain values, and that other fields like "City", "City1" and "City2" contain values.
I've also found that the prefix=someprefix option for the "iplocation" command does not work either.
Am I doing something wrong?
The right way to use this command is like:
|table c_ip | stats count by c_ip | iplocation c_ip
You can then visualise this on a map like:
|table c_ip | stats count by c_ip | iplocation c_ip | geostats latfield=lat longfield=lon sum(count) as count by c_ip globallimit=0
Doesn't work. As the poster mentioned the lat/lon fields aren't being produced at all by iplocation. I'm experiencing the same issue.
I am facing the similar and the above solution doesn't seem to work , do we have any way to get the location details based on the ip address in splunk
I read in another answer that if the ip addresses are private, the command won't work. (quite obvious now that I think about it)