Solved: Using lookup file to update field value

guruwells · ‎09-06-2016

Hi Everyone,
My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some info from my netwrok team, saying these ip's are coming from these countries like that. For that data, I have created lookup file (format of csv) which contains c_ip, State, Location and Country. Now using query I wanted to update Country value which is there in iis or displaying purpose.

index=default sourcetype=iis|iplocation c_ip| geostats count by Country

Here by default Country field is empty.

Created Lookup table

|inputlookup geo_sample_ip_countries.csv

here I will get

c_ip State Location Country
10.92.32.10 XXXXXXX XXXXX India

Now I wanted to display Country geomap based on client ip (c_ip).

I have tried using join query, it's not worked as expectations.

Please suggest me on this.

sundareshr · ‎09-06-2016

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country

View solution in original post

sundareshr · ‎09-06-2016

Try this. You will need to insure the format for Country is the same as the one returned by iplocation command.

index=default sourcetype=iis |lookup geo_sample_ip_countries.csv c_ip AS c_ip OUTPUT Country | geostats count by Country

Using lookup file to update field value

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!