×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dswoff
New Member
Member since: ‎11-04-2024
‎11-04-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-04-2024
View All

Re: Trying to find Geo Location for IP addresses f...

by in Knowledge Management
‎11-04-2024 12:53 PM
‎11-04-2024 12:53 PM
Same results I get the IP address but no country in the Geo Location. I have noticed that I have a space at the end of the IP address using this REX command.  Ended up using the following command to remove the ending space and that resolved my problem. | eval ip_address=trim(ip_address) ... View more

Trying to find Geo Location for IP addresses from ...

by in Knowledge Management
‎11-04-2024 10:41 AM
‎11-04-2024 10:41 AM
So I am trying to find the geo location for some IP addresses that keep crashing our webserver when they crawl it.  I am getting the information from the event logs. The IP addresses are coming in on a generic field called message that contains a lot of text, so I am pulling that using a rex command, but the iplocation command shows no country code. I have used the iplocation command to get geo information about IP addresses in the past several hours on another search, so I know that works in my system.  When I use the where | where ip_address='ip-address' command it shows no data. So I'm guessing that Splunk doesn't see the text in the created field of ip_address as actual IP addresses.  Anyone know how I can make it see this data as an IP address? Or is it that there might be a leading space or something like that that is causing the issue and if so how do I get rid of that noise? index="eventlog" EventCode=1309 | rex field=Message "User host address:\s(?<ip_address>.*)" | iplocation ip_address=Country | table ip_address, Country ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-04-2024 04:29 PM