This is the current search that I am running, and it is working, but I think it is working only because it is finding the first IP address in the log, which happens to be the IP address I want anyway:
host="my host" action="Deny" | rex "(?
How do I select the field that I want to map out? I am sure there will be instances in which the IP address I want to map out will not be the first one in the log.
I tried the following search, specifically selecting the field (which I extracted), and it doesn't work:
host="my host" action="Deny" SourceIP=* | rex "(?
or
host="my host" action="Deny" SourceIP=* | rex "(?
Thanks for any help!
Since you seem to already have the SourceIP field extracted, you can simply use it:
host="my host" action="Deny" SourceIP=* | geoip SourceIP
What values does this SourceIP field contain? Make sure there are not whitespaces around the IP address.
Thanks for responding!
Yes, I did try that as well, and I get no results. It doesn't crash or error out, but no results.