All Apps and Add-ons

Can I use iplocation with an ip address I get from a dbxquery?

jhdietz
New Member

Can I use iplocation with an ip address I get from a dbxquery?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Looking at your search again, I see that you have multiple typos in there.
It should be | iplocation remoteaddr instead of |iplocation = remotaddr (no equals sign and properly spelled field name).

I just tried this and it works just fine:

| makeresults | eval remoteaddr="50.26.126.246" | iplocation remoteaddr | geostats latfield=lat longfield=lon

Please ensure you are using the correct syntax and try again.

0 Karma

jhdietz
New Member

I got this working, the remoteaddr field is case sensitive so it worked after I use REMOTEADDR

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

🙂
Thanks for providing the update!

Yes, all Splunk field names are case-sensitive, field values are not.

BTW, geostats does not create latitude and longitude, it requires it as input args. Which is why you should see a lat and long field after running iplocation successfully.

0 Karma

jhdietz
New Member

Can you test using dbxquery? I get the same results with the "iplocation remoteaddr" syntax. I get nearly 12k worth of stats but no latitude or longitude when I add "| geostats latfield=lat longfield=lon"

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Yes. As long as you have a field that contains an ip address, I see no reason why we care where it came from.

0 Karma

jhdietz
New Member

iplocation does work by itself but not with geostats

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Share your search example and/or screenshot?
Do you have latitude/longitude fields in your events after using iplocation?

0 Karma

jhdietz
New Member

I don't have the lat/lon fields in my events and I can't attach a screenshot so here is my search:

|dbxquery connection=db.connection query="select remoteaddr from table" shortnames = t
|iplocation = remotaddr
|geostats latfield=lat longfield=lon globallimit=0

No results found.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Do you get any events without specifying the | geostats command and do those events have the fields "lat" and "lon" that you specified for geostats?

0 Karma

jhdietz
New Member

I get stats without specifying the geostats command

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

and do those events have the fields "lat" and "lon" that you specified for geostats?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...