All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Map internal IPs

mw
Splunk Employee
Splunk Employee
‎06-01-2011 08:44 AM

I'm having a bit of trouble mapping internal IPs. I'm sure I'm just doing something dumb, but I'd love someone to verify that.

I have this lookup:

dest_ip,_lat,_lng
192.168.1.0/24,38.8951,-77.0363

and this transform:

[geoip_internal]
filename = geoip_internal.csv
match_type = CIDR(dest_ip)

And then this search:

dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip

Within Google Maps, I don't get any markers plotted out, but I do get this info under the "Geo Results" link:

    location    geo_position       count 
    n/a      38.8951,-77.0363   17

I'm not sure if I should expect the location to be populated or not, but geo_position looks ok, and the count looks right, so what am I missing? Why don't I have any markers plotted?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-01-2011 09:42 AM

The problem is that the module does not append the | geonormalize command automatically in the new version. The postprocess for the "Geo Results" table does append it, though. Since the new module now expects a combined latitude/longitude value in the _geo field (the old one expected the _lat and _lng field) you have to either append the geonormalize to your search:

dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip | geonormalize

or even better, modify your lookup to emit the combined _geo value:

dest_ip,_geo
192.168.1.0/24,"38.8951,-77.0363"

(note the quotes around the lat/lon value)

Additinally, you can specify a "geo_info" column in your lookup with a label that will appear in the "location" column of the "Geo results" table:

dest_ip,geo_info,_geo
192.168.1.0/24,"Washington DC","38.8951,-77.0363"

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-01-2011 09:42 AM

The problem is that the module does not append the | geonormalize command automatically in the new version. The postprocess for the "Geo Results" table does append it, though. Since the new module now expects a combined latitude/longitude value in the _geo field (the old one expected the _lat and _lng field) you have to either append the geonormalize to your search:

dest_ip=* status=Up | dedup dest_ip | lookup geoip_internal dest_ip | geoip dest_ip | geonormalize

or even better, modify your lookup to emit the combined _geo value:

dest_ip,_geo
192.168.1.0/24,"38.8951,-77.0363"

(note the quotes around the lat/lon value)

Additinally, you can specify a "geo_info" column in your lookup with a label that will appear in the "location" column of the "Geo results" table:

dest_ip,geo_info,_geo
192.168.1.0/24,"Washington DC","38.8951,-77.0363"
Reply
Solved! Jump to solution

edonze
Path Finder
‎05-08-2014 09:56 AM

I do have this working and it is awesome, but I have 2 questions:
1: Can I get the location data on other views/dashboards?
1.5: If so how?
2: Can I put the other info such as region_name & postal_code in there and retrieve it with geo lookups?

0 Karma
Reply
Solved! Jump to solution

mw
Splunk Employee
Splunk Employee
‎06-01-2011 02:06 PM

Awesome! Thanks so much, and thanks for putting together such a sweet app!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...