Splunk Search

GeoIP app not working correctly

castle1126
Communicator

Hi, I downloaded (installed via Splunk GUI) and am testing out the GeoIP app on my 4.1.4 search head. I'm having an issue though. When I run a search against my proxy data I get no returned information from the GeoIP lookups. The search command I'm running is:

index=weblog | lookup geoip clientip as ip

I do know that after downloading the app I restarted Splunk. I get no errors in logs or at the GUI when I'm issuing the searches.

Any idea on what I'm doing wrong?

Thanks! Steve

castle1126
Communicator

Thanks! The localop did the trick!

0 Karma

Justin_Grant
Contributor

hi @castle1126 - instead of adding a new answer (like you'd do on a traditional forum), on Splunk Answers you'll want to add a comment on the correct answer and "accept" it by clicking the checkmark. Thanks!

0 Karma

araitz
Splunk Employee
Splunk Employee

I use geoip all the time, and I have never had any problems with the expense of the operation.

Try using localop:

index=weblog | localop | lookup geoip clientip as ip

http://www.splunk.com/base/Documentation/4.1.4/SearchReference/Localop

castle1126
Communicator

This is an expensive (resource) task on my system. In most of my events I will have at least 2 IP addresses that are extracted via CSV field extraction - which give pretty fast field extractions. IPLocation trying to find the IP in the _raw of these events doesn't come across as optimal. Plus iplocation doesn't give me the opportunity to "give" the lookup an IP address.

0 Karma

ftk
Motivator

Splunk now has a command for ip lookups built in -- iplocation. This might be easier to use than the GeoIP app.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...