Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

iplocation query: How to show the country with this search?

sulaimancds
Engager
‎08-22-2023 11:05 PM

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | iplocation ClientIP | table UserId ClientIP DisplayName status Country

 

when i run the above command , i am not able to get the country. country is blank.

 

| makeresults | eval myip="2001:4860:4860::8888" | iplocation myip

however, when i run this, it is able to show me the country. Can you help me to make the above first command work so that country will be shown?

 

 

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 12:45 AM

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎08-23-2023 12:58 AM
@gcusello wrote:

Hi @sulaimancds,

are you sure that the fieldname, after the spath command is exactly "ClientIP "?

Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command.

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication 
| spath 
| iplocation <your_ClientIP_fieldname> 
| table UserId ClientIP DisplayName status Country

 

Ciao.

Giuseppe

HI it does not work, this is my original command before inserting. IPLocation

 

index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication
| spath
| table UserId ClientIP DisplayName

 

example

userid                             ClientIP            displayname

abc@gamil.com          1.1.1.1                  abcpc

 

need help work to show country of the ClientIP

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 01:10 AM

Hi @sulaimancds,

as I said, the usual issue is that the field name used in the iplocation command isn't exactly the one you have from your logs, for this reason I hinted to check the field names,

also because the spath command has always field names more structured (e.g. event.access.ip{}), but if your search extracts the ClientIP you could try to use it.

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎08-23-2023 01:15 AM

hi i try with iplocation ClientIP it does not work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2023 01:21 AM

Hi @sulaimancds,

please check if in the interesting fields there is another alias of the ClientIP (having the same value) and try to use it.

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-22-2023 11:42 PM

Does ClientIP hold a valid IP address?

Have you tried one of the IP addresses found in the ClientIP field in your makeresults line?

0 Karma
Reply

sulaimancds
Engager
‎08-22-2023 11:56 PM

yes it is able to get the country i try it the the makeresults query

0 Karma
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...