Forgive me if this has been asked before, but I am trying to do a lookup using geoip (maxmind database) to resolve IP's to countries, which works great. This is what I have so far
sourcetype="fsisac-2" | lookup geoip clientip as IP
In my field list I now have a "client_country" field. I now want to add "client_country=germany" to the query, but whether I add this at the end, or before the Pipe. How do I construct the query to now only show me IP's that are coming from Germany?
TIA
After lookup, add | search client_country="germany"
. Just that easy!
Excellent. If that worked for you, consider clicking the checkmark next to the response, so that others can know that it's a working solution. Happy Splunking!
That is exactly it! I would not have thought to have add the word "search" back onto the search bar - probably just late at night for me. Thanks again!