I have the GoogleMaps app and MAXMIND installed.
I have a stream of syslog data that I am extracting a Field named SourceIP. I want to do geo ip lookups on these host addresses. Unfortunately for now in the lab configuration, I'm using all 10.x.y.z address space.
I need to do a local lookup for my 10.x.y.z nodes with a /32 mask. I created a local_ip.csv file and put the client IP, lat, lon into it as quoted comma delimited values.
My transfomrs.conf is as follows:
[dcfw_extract]
REGEX = (\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)(.*)
FORMAT = DATE::$1 TIME::$2 DeviceID::$3 Facilty::$4 RuleID::$5 MessageID::$6 Action::$7 Protocol::$8 SourceIP::$9 SourcePort::$10 DestinationIP::$11 DestinationPort::$12 VirtualSvc::$13 SnatIP::$14 Comment::$15
[local_ip]
filename = local_ip.csv
max_matches = 1
min_matches = 1
match_type = CIDR(SourceIP)
I created a local_ip.csv file and it is located in ....\Splunk\etc\apps\maps\lookups
. This file contains 5 host IPs I'm trying to match on to get the lat/lon values.
"clientip","client_lat","client_lon"
"10.2.5.201/32","74.00","42.00"
"10.1.1.101/32","75.00","43.00"
"10.2.1.101/32","76.00","44.00"
"10.3.1.102/32","77.00","45.00"
"10.4.1.201/32","78.00","46.00"
I've tried different field names ie latitude and longitude. Quoted values non-quoted. I saw an example that Will posted showing the .csv file was quoted in his example.
My View XML lineitem is as follows:
<param name="search">SourceIP=* | lookup local_ip.csv clientip as SourceIP| geoip SourceIP</param>
With this call the map does not report syntax errors. As I watch it loading and building the preview it flashes up an Error Loading on the upper left hand corner of the map.
I override the lookup with an
eval _geo="72.00,44.00" | geoip SourceIP
and it renders my data counts.
I'm havng a hard time tracking down why my lookup doesn't get the fields for lat / lon.
If I try and do a lookup with: geoip clientip as SourceIP I get a file not found error. Because I do not have a geoip.csv file: Should I?
I've been through a lot of the online help already. I can't seem to narrow this down to a root cause.
Thanks in advance for any help you may be able to provide.
I think your issue is your match:
[local_ip]
filename = local_ip.csv
max_matches = 1
min_matches = 1
match_type = CIDR(clientip)
As the field in the lookup is called clientip.