Hello Will, i have the same question, i like to map 30 ip address ranges to german city geo informations.

How could I setup thi internal ip-address list, to map it again to geo informations?

Do you have a example for me?

BR Michael

Here you go:

We need to create a csv lookup for your subnet field.

In transforms.conf add:

[csv_geoip]
filename = geo_info.csv

Next we create a csv file that outputs the fields expected by the amMap app. In lookups create a geo_info.csv and use the following header:

clientip,client_country,client_region,client_city,client_lat,client_lon

(You can change the clientip value to whatever your going to match on, we just need to make that adjustment in the search)

So an example file could be:

"subnet,"client_city","client_region","client_country","client_lat","client_lon" "1.16,Arkhangelsk,06,"Russian Federation","64.5667","40.5333" "192.23",Bucharest,10,Romania,"44.4333","26.1" "128.16",Leningradskiy,15,"Russian Federation","69.3833","178.4167" "10.19",Beijing,22,China,"39.9289","116.3883",1 "123.19",Moscow,48,"Russian Federation","55.7522","37.6156"

Once you have that just make sure to use subnet in the lookup stanza.

The example search would look like this:

if you have subnet as a searchable field: | lookup csv_geoip

if you want to match subnet on another field: | lookup csv_geoip subnet as src_subnet

Once you have this the app should work as expected.

Let me know if you have any other questions.

Will

I'm a little unclear on how to link the geo data to internal subnets. Are you able to provide an example?