@gcusello wrote: Hi @sulaimancds, are you sure that the fieldname, after the spath command is exactly "ClientIP "? Usually after a spath command, the field names are more complicated. probably you need to rename the field or use that field name in the iplocation command. index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication
| spath
| iplocation <your_ClientIP_fieldname>
| table UserId ClientIP DisplayName status Country Ciao. Giuseppe HI it does not work, this is my original command before inserting. IPLocation index=o365 [ | inputlookup watchlistriskyusers.csv | rename email AS query | fields query ] sourcetype="o365:management:activity" eventtype=o365_authentication | spath | table UserId ClientIP DisplayName example userid ClientIP displayname abc@gamil.com 1.1.1.1 abcpc need help work to show country of the ClientIP
... View more