Refine your search:

Geo Location Lookup Script (powered by MAXMIND)

4
1

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Description

Splunk for Use with MAXMIND is an application that provides geo_ip information on any public IP in your Splunk DB in a scalable fashion. The GeoIPCityLite DB is apart of the app so no internet connection is required and lookups are performed locally on your search head.

The use is simple, pipe any search to ' lookup geoip clientip as <some_ip_field> ' If you do not have an IP field in your data you can use the rex command to extract one and perform a lookup

Example Searches:

eventtype=firewall_event | lookup geoip clientip as src_ip
sourcetype=syslog | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip

This product includes GeoLite data created by: MaxMind available from: http://www.maxmind.com/

.

Versions and Release Notes

Version 1.0.6 (current version - updated Apr 12, 2011)
release notes:
Updated the app.conf to improve compatibility with Splunk 4.2
show older versions »
Version 1.0.5 (updated Sep 20, 2010)
release notes:
Added fix for distributed deployments issue
Version 1.0.4 (updated May 26, 2010)
Version 1.0.3 (updated Mar 03, 2010)
Version 1.3 (updated Mar 03, 2010)
Version 1.2 (updated Mar 03, 2010)
Version 1.0.1 (updated Feb 17, 2010)
Version 1.0 (updated Feb 17, 2010)

posted 17 Feb '10, 19:15

Will%20Hayes's gravatar image

Will Hayes ♦
2.9k6817
accept rate: 16%

new version 12 Apr '11, 17:13

2 Reviews:
0 ratings
oldestnewest

The download is broken. but the file starts to download then you can not use it.

comments (0)

reviewed 13 Feb, 10:41

muchodespues's gravatar image

muchodespues
211
accept rate: 0%

This works really well. After you run a search with the lookup included, your list of fields will now contain country, region, city, longitude and lattitude. These can be used affect the search. For instance, adding a pipe after the table lookup and doing |client_country!="United States". Very cool. Instead of the regex above (which works) I am using '| rex field=_raw "b(?<ip>(?:d{1,3}.){3}d{1,3})b" | lookup geoip clientip as ip'. I've stored this as a macro, including the leading pipe. I use it like this:

index="syslogs" geoip | ...rest of search...

comments (0)

reviewed 03 Nov '11, 15:28

wrangler2x's gravatar image

wrangler2x
513
accept rate: 50%

Your review

Did you find this app useful?

Preview toggle preview

Copyright © 2005-2012 Splunk, Inc. All rights reserved.