Splunk Search

iplocation query: How to show the country with this search?

sulaimancds
Engager

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation ClientIP | table UserId ClientIP DisplayName status Country

 

when i run the above command , i am not able to get the country. country is blank.

 

| makeresults | eval myip="2001:4860:4860::8888" | iplocation myip

however, when i run this, it is able to show me the country. Can you help me to make the above first command work so that country will be shown?

 

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

@gcusello wrote:

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

 

Ciao.

Giuseppe


HI it does not work, this is my original command before inserting. IPLocation

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication
| spath
| table UserId ClientIP DisplayName

 

example

userid                             ClientIP            displayname

abc@gamil.com          1.1.1.1                  abcpc

 

need help work to show country of the ClientIP

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

as I said, the usual issue is that the field name used in the iplocation command isn't exactly the one you have from your logs, for this reason I hinted to check the field names,

also because the spath command has always field names more structured (e.g. event.access.ip{}), but if your search extracts the ClientIP you could try to use it.

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

hi i try with iplocation ClientIP it does not work

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does ClientIP hold a valid IP address?

Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?

0 Karma

sulaimancds
Engager

yes it is able to get the country i try it the the makeresults query

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...