Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

iplocation query: How to show the country with this search?

sulaimancds
Engager
‎08-22-2023 11:05 PM

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation ClientIP | table UserId ClientIP DisplayName status Country

 

when i run the above command , i am not able to get the country. country is blank.

 

| makeresults | eval myip="2001:4860:4860::8888" | iplocation myip

however, when i run this, it is able to show me the country. Can you help me to make the above first command work so that country will be shown?

 

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 12:45 AM

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎08-23-2023 12:58 AM
@gcusello wrote:

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

 

Ciao.

Giuseppe

HI it does not work, this is my original command before inserting. IPLocation

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication
| spath
| table UserId ClientIP DisplayName

 

example

userid                             ClientIP            displayname

abc@gamil.com          1.1.1.1                  abcpc

 

need help work to show country of the ClientIP

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 01:10 AM

Hi @sulaimancds,

as I said, the usual issue is that the field name used in the iplocation command isn't exactly the one you have from your logs, for this reason I hinted to check the field names,

also because the spath command has always field names more structured (e.g. event.access.ip{}), but if your search extracts the ClientIP you could try to use it.

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎08-23-2023 01:15 AM

hi i try with iplocation ClientIP it does not work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 01:21 AM

Hi @sulaimancds,

please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-22-2023 11:42 PM

Does ClientIP hold a valid IP address?

Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?

0 Karma
Reply

sulaimancds
Engager
‎08-22-2023 11:56 PM

yes it is able to get the country i try it the the makeresults query

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Callie Skokos: Hello and welcome to another episode of "Splunk Smartness," the interview series where we ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...