Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

GEOIP and Internal IP Lookup Problems

MHS
Explorer
‎03-29-2012 09:01 AM

I built a CSV file for my internal IP addresses with office coordinates. Here are the first two lines of that text file:

clientip,name,lat,lon

10.200.0.0/8,My Office,38.746971,-90.464752

I went into the GUI and went to Management, Lookups, Lookup Table Files, New and added the file as geoip_internal.csv (making sure the app context was set to Google Maps (maps)).

I then went to Lookup Definitions, New and created geoip_internal and created it using a type of "File-based" and a Lookup file of geoip_internal.csv (making sure the app context was set to Google Mapes(maps)).

How do I specify from the GUI that I want to a CIDR lookup on this?

Right now if I do a search in the Google Maps app using the search string "sourcetype="router" | lookup geoip_internal clientip as host" it says there are 984 matches. My sample data file is only 984 rows. Nothing maps and if I click on "Events" it shows nothing.

If I modify that search "sourcetype="router" | lookup geoip_internal clientip as host | geoip clientip" it says there are 6 matches. Which is right there are only 6 different hosts in the sample file. It still doesn't map anything and "Events" still shows nothing.

I believe the CIDR lookup is the issue but I could be wrong.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎03-29-2012 03:34 PM

I don't see a way of specifying the CIDR matching via Splunk web.

But you can add a "match_type" property to your lookup stanza in transforms.conf.

Try something like this :

[geoip_internal]
filename = geoip_internal.csv
max_matches = 1
min_matches = 1
match_type = CIDR(clientip)
Reply

Damien_Dallimor
Ultra Champion
‎03-30-2012 04:41 PM

Did you restart Splunk ?

0 Karma
Reply

MHS
Explorer
‎03-30-2012 06:26 AM

I added this entry to the a transforms.conf I created in the /splunk/etc/system/local directory and stiff nothing is mapping. I may just blow this out and start over again since this is just a lab instance of Splunk. I know I'm missing something very simple here.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...