Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

GEOIP and Internal IP Lookup Problems

MHS
Explorer
‎03-29-2012 09:01 AM

I built a CSV file for my internal IP addresses with office coordinates. Here are the first two lines of that text file:

clientip,name,lat,lon

10.200.0.0/8,My Office,38.746971,-90.464752

I went into the GUI and went to Management, Lookups, Lookup Table Files, New and added the file as geoip_internal.csv (making sure the app context was set to Google Maps (maps)).

I then went to Lookup Definitions, New and created geoip_internal and created it using a type of "File-based" and a Lookup file of geoip_internal.csv (making sure the app context was set to Google Mapes(maps)).

How do I specify from the GUI that I want to a CIDR lookup on this?

Right now if I do a search in the Google Maps app using the search string "sourcetype="router" | lookup geoip_internal clientip as host" it says there are 984 matches. My sample data file is only 984 rows. Nothing maps and if I click on "Events" it shows nothing.

If I modify that search "sourcetype="router" | lookup geoip_internal clientip as host | geoip clientip" it says there are 6 matches. Which is right there are only 6 different hosts in the sample file. It still doesn't map anything and "Events" still shows nothing.

I believe the CIDR lookup is the issue but I could be wrong.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎03-29-2012 03:34 PM

I don't see a way of specifying the CIDR matching via Splunk web.

But you can add a "match_type" property to your lookup stanza in transforms.conf.

Try something like this :

[geoip_internal]
filename = geoip_internal.csv
max_matches = 1
min_matches = 1
match_type = CIDR(clientip)
Reply

Damien_Dallimor
Ultra Champion
‎03-30-2012 04:41 PM

Did you restart Splunk ?

0 Karma
Reply

MHS
Explorer
‎03-30-2012 06:26 AM

I added this entry to the a transforms.conf I created in the /splunk/etc/system/local directory and stiff nothing is mapping. I may just blow this out and start over again since this is just a lab instance of Splunk. I know I'm missing something very simple here.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...