Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

iplocation query: How to show the country with this search?

sulaimancds
Engager
‎08-22-2023 11:05 PM

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation ClientIP | table UserId ClientIP DisplayName status Country

 

when i run the above command , i am not able to get the country. country is blank.

 

| makeresults | eval myip="2001:4860:4860::8888" | iplocation myip

however, when i run this, it is able to show me the country. Can you help me to make the above first command work so that country will be shown?

 

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 12:45 AM

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎08-23-2023 12:58 AM
@gcusello wrote:

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

 

Ciao.

Giuseppe

HI it does not work, this is my original command before inserting. IPLocation

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication
| spath
| table UserId ClientIP DisplayName

 

example

userid                             ClientIP            displayname

abc@gamil.com          1.1.1.1                  abcpc

 

need help work to show country of the ClientIP

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 01:10 AM

Hi @sulaimancds,

as I said, the usual issue is that the field name used in the iplocation command isn't exactly the one you have from your logs, for this reason I hinted to check the field names,

also because the spath command has always field names more structured (e.g. event.access.ip{}), but if your search extracts the ClientIP you could try to use it.

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎08-23-2023 01:15 AM

hi i try with iplocation ClientIP it does not work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 01:21 AM

Hi @sulaimancds,

please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-22-2023 11:42 PM

Does ClientIP hold a valid IP address?

Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?

0 Karma
Reply

sulaimancds
Engager
‎08-22-2023 11:56 PM

yes it is able to get the country i try it the the makeresults query

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...