Map internal IPs

Question

I'm having a bit of trouble mapping internal IPs. I'm sure I'm just doing something dumb, but I'd love someone to verify that.

I have this lookup:

dest_ip,_lat,_lng
192.168.1.0/24,38.8951,-77.0363

and this transform:

[geoip_internal]
filename = geoip_internal.csv
match_type = CIDR(dest_ip)

And then this search:

dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip

Within Google Maps, I don't get any markers plotted out, but I do get this info under the "Geo Results" link:

    location    geo_position       count 
    n/a      38.8951,-77.0363   17

I'm not sure if I should expect the location to be populated or not, but geo_position looks ok, and the count looks right, so what am I missing? Why don't I have any markers plotted?

Accepted Answer

The problem is that the module does not append the | geonormalize command automatically in the new version. The postprocess for the "Geo Results" table does append it, though. Since the new module now expects a combined latitude/longitude value in the _geo field (the old one expected the _lat and _lng field) you have to either append the geonormalize to your search:

dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip | geonormalize

or even better, modify your lookup to emit the combined _geo value:

dest_ip,_geo
192.168.1.0/24,"38.8951,-77.0363"

(note the quotes around the lat/lon value)

Additinally, you can specify a "geo_info" column in your lookup with a label that will appear in the "location" column of the "Geo results" table:

dest_ip,geo_info,_geo
192.168.1.0/24,"Washington DC","38.8951,-77.0363"

Map internal IPs

Follow this question

Splunk Resources

Related questions