|
When I use the command. SRC="*" | geoip clientip_city I get 3055 matching events, but nothing on the map. I guess what I expect to happen is for the IP Addresses in each of these events to show up on the Map. What am I doing wrong? |
|
If the field "clientip_city" contains the IP addresses, you can try this search instead: Update: To extract the field, you have to either configure the fields to be extracted (see http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsatsearchtime) or extract them inline: This will extract the first matching IP in the event. that gave "0 matching events" and nothing on the map either
(27 May '11, 13:42)
surban99
seems like you don't have the clientip_city field extracted. When you execute the search in the default search view of Splunk, are you able to see the field in the field picker (on the left side)?
(27 May '11, 13:45)
ziegfried ♦
you're right, it's not there, how do I get it there?
(27 May '11, 14:18)
surban99
I've updated the answer
(27 May '11, 14:34)
ziegfried ♦
SRC=* | rex "(?<ip>d{1,3}.d{1,3}.d{1,3}.d{1,3})" | geoip ip still does not work. "0 results with location information" is it possible the database is not working/up to date? is there a simple search I can do to test this eg: geoip 8.8.8.8 shouldn't that work?
(31 May '11, 09:43)
surban99
Try to execute the following search in the default search view of splunk: SRC=* | rex "(?<ip>d{1,3}.d{1,3}.d{1,3}.d{1,3})" | table ip What kind of results are you getting?
(31 May '11, 09:47)
ziegfried ♦
"geoip 8.8.8.8" will not work. The first argument to the geoip command is always a field name, not a value. You can execute the following the test whether the geoip command is working: | stats count | eval ip="8.8.8.8" | geoip ip
(31 May '11, 09:50)
ziegfried ♦
SRC=* | rex "(?<ip>d{1,3}.d{1,3}.d{1,3}.d{1,3})" | table ip no events, 0 results with location information | stats count | eval ip="8.8.8.8" | geoip ip no events, 0 results with location information
(31 May '11, 10:14)
surban99
Please execute those searches in the DEFAULT search view of Splunk, not in the Google Maps view - and describe the results you're seeing.
(31 May '11, 10:16)
ziegfried ♦
108,710 matching events what specifically should I be looking for?
(31 May '11, 10:25)
surban99
What is displayed in the results table? Btw. you were missing the backslashes in your search - I've modified your answer. Try this search instead.
(31 May '11, 10:28)
ziegfried ♦
108,710 results from July 1 through July 30, 2010 the table has over 1116 pages(I got tired of clicking) every page I saw was empty.
(31 May '11, 10:38)
surban99
Seems like you don't have IP addresses in your events, do you?
(31 May '11, 10:39)
ziegfried ♦
Btw. you can use the "add new comment" instead of posting everything in a new answer.
(31 May '11, 10:40)
ziegfried ♦
ABSOLUTELY! here's a single line from one of the log files. Nov 6 23:09:52 ice kernel: NEW not SYN? IN=eth1 OUT= MAC=00:08:c7:21:b1:4a:00:07:0e:05:85:f2:08:00 SRC=8.8.8.8 DST=8.8.8.9 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=54197 PROTO=TCP SPT=80 DPT=2080 WINDOW=7245 RES=0x00 ACK FIN URGP=0 The IPs have been changed to protect the innocent
(31 May '11, 10:46)
surban99
ok, then the following search should work on Google Maps: SRC=* | geoip SRC
(31 May '11, 10:48)
ziegfried ♦
SRC=* | geoip SRC it does not, thank you for your patience :)
(31 May '11, 11:03)
surban99
what's the result when you execute the following in the default search view: SRC=* | table SRC | geoip SRC
(31 May '11, 11:07)
ziegfried ♦
sorry, thought I lost you there, I get IPs!! there are numerous fields like "C:Program FilesSplunketcappsmapsbingeoip.py" but they're all empty.
(31 May '11, 12:24)
surban99
that didn't format right, It's a windows path to the geoip.py but the table is empty for those fields
(31 May '11, 12:26)
surban99
sounds like the command is failing to execute. try the new version of the google maps app.
(01 Jun '11, 00:46)
ziegfried ♦
showing 5 of 22
show 17 more comments ▼
|
