Here you go:
We need to create a csv lookup for your subnet field.
In transforms.conf add:
[csv_geoip]
filename = geo_info.csv
Next we create a csv file that outputs the fields expected by the amMap app. In lookups create a geo_info.csv and use the following header:
clientip,client_country,client_region,client_city,client_lat,client_lon
(You can change the clientip value to whatever your going to match on, we just need to make that adjustment in the search)
So an example file could be:
"subnet,"client_city","client_region","client_country","client_lat","client_lon"
"1.16,Arkhangelsk,06,"Russian Federation","64.5667","40.5333"
"192.23",Bucharest,10,Romania,"44.4333","26.1"
"128.16",Leningradskiy,15,"Russian Federation","69.3833","178.4167"
"10.19",Beijing,22,China,"39.9289","116.3883",1
"123.19",Moscow,48,"Russian Federation","55.7522","37.6156"
Once you have that just make sure to use subnet in the lookup stanza.
The example search would look like this:
if you have subnet as a searchable field:
| lookup csv_geoip
if you want to match subnet on another field:
| lookup csv_geoip subnet as src_subnet
Once you have this the app should work as expected.
Let me know if you have any other questions.
... View more