Splunk Search

iplocation query: How to show the country with this search?

sulaimancds
Engager

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation ClientIP | table UserId ClientIP DisplayName status Country

 

when i run the above command , i am not able to get the country. country is blank.

 

| makeresults | eval myip="2001:4860:4860::8888" | iplocation myip

however, when i run this, it is able to show me the country. Can you help me to make the above first command work so that country will be shown?

 

 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

@gcusello wrote:

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

 

Ciao.

Giuseppe


HI it does not work, this is my original command before inserting. IPLocation

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication
| spath
| table UserId ClientIP DisplayName

 

example

userid                             ClientIP            displayname

abc@gamil.com          1.1.1.1                  abcpc

 

need help work to show country of the ClientIP

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

as I said, the usual issue is that the field name used in the iplocation command isn't exactly the one you have from your logs, for this reason I hinted to check the field names,

also because the spath command has always field names more structured (e.g. event.access.ip{}), but if your search extracts the ClientIP you could try to use it.

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

hi i try with iplocation ClientIP it does not work

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does ClientIP hold a valid IP address?

Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?

0 Karma

sulaimancds
Engager

yes it is able to get the country i try it the the makeresults query

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...