Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to find the distance between more than 2 IP Addresses?

syx093
Communicator
‎06-19-2015 08:08 AM

Say I have one field called member_id and another a multi-value field with the IP Addresses of the member_id.
(Rough Example)
From one member_id

   IP_Addresses
   10.10.10.10 (Location 1)
   172.16.213.10 (Location 2)
   12.12.15.13 (Location 3)
   14.172.25.87 (Location 4)

Is it possible to find the distance between Location 1 and Location 2, Location 1 and Location 3, Location 1 and Location 4, Location 2 and Location 3, Location 2 and Location 4, Location 3 and Location 4. Then, have those distance be displayed on a table for everyone to see. I can easily do this with two locations but I have no idea how to do this with three or more location. Keep in mind, the example above is just one row.
Here is my query

index=olb sourcetype=moduleusages Remarks="Signed On Successfully" |lookup olb_mbr user_id AS UserId OUTPUT login_name,member_id |iplocation IpAddress |stats count(IpAddress) AS ip_count,list(IpAddress) AS ip_addresses ,list(lat) AS lat,list(lon) AS lon,list(City) AS City,list(Country) AS Country by member_id |where ip_count>1 |eval ip1=mvindex(ip_addresses,0,0) | eval lat1=mvindex(lat,0,0) |eval lon1=mvindex(lon,0,0) |eval City1=mvindex(City,0,0) |eval Country1=mvindex(Country,0,0) | eval ip2=mvindex(ip_addresses,1,1) | eval lat2=mvindex(lat,1,1) |eval lon2=mvindex(lon,1,1) |eval City2=mvindex(City,1,1)|eval Country2=mvindex(Country,1,1) | eval loc1=lat1.",".lon1|eval loc2=lat2.",".lon2 |search loc1="" loc2="" | haversine originField=loc1 lat2 lon2 units=mi |eval Location1=City1.", ".Country1 | eval Location2=City2.", ".Country2 | table member_id ip1 loc1 Location1 ip2 loc2 Location2 distance | where distance>2000 |sort -distance |eval distance=round(distance,2) |rename ip1 AS IP1, ip2 AS IP2 distance AS Miles

This finds the distance between 2 location whose distance is over 2000 miles and creates a table.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎06-19-2015 10:12 PM

You can do this via the haversine equation, assuming you have the GEOIP data for these locations and IPs. Check out this app : https://splunkbase.splunk.com/app/936/#/documentation.

Using haversine app, it will calculate the distance between two point based upon the geo plot points (lat and long).

0 Karma
Reply

syx093
Communicator
‎06-22-2015 05:38 AM

I am already using haversine to find the distance between 2 location. What I want to know is that is how would you go about find the distance between more than 4 points. For example, want to find the distance between location 1 and 2 and have a new field created for that location. Then I want to find the distance between location 1 and 3, and create a new field for that location. Next would be 1 and 4 while creating new fields. Then 2 and 3, etc...... How would I go about doing this.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...