Hi at all,
I have a strange behaviour in ip location:
Above there are the two version of event (it's the same _raw with different metadata) with interesting fields
30/08/17 09.56.00,000
2017-08-30 09:56:00.000, Data_Apertura="2017-08-30 09:56:00.0", Matricola="XXXXX", Cognome="XXXXX", SubArea="XX. Short_Message", Desc_lunga="Long_Message", Severity="Medium", Provenienza_Segnalazione="XXXXX", id="XXX", Ip_Source="xx.xxx.xx.x", Status="Chiuso"
• Ip_Source = xx.xxx.xx.x
• host = host1
• index = index1
• lat = 33.81810
• lon = -84.36040
• source = source1
• sourcetype = sourcetype1
30/08/17 09.56.00,000
2017-08-30 09:56:00.000, Data_Apertura="2017-08-30 09:56:00.0", Matricola="XXXXX", Cognome="XXXXX", SubArea="XX. Short_Message", Desc_lunga="Long_Message", Severity="Medium", Provenienza_Segnalazione="XXXXX", id="XXX", Ip_Source="xx.xxx.xx.x", Status="Chiuso"
• Ip_Source = xx.xxx.xx.x
• host = host2
• index = index2
• lat = 38.00000
• lon = -97.00000
• source = source2
• sourcetype = sourcetype2
Is it possible that different servers (with different versions of Splunk) return different lat and lon values after iplocation command?
iplocation command uses a lookup located on the server where the run is executed or on the indexers?
Bye.
Giuseppe
Yes. You have to update the database yourself or it only updates when you upgrade splunk
http://www.georgestarcher.com/splunk-updating-the-geoip-database/
Yes. You have to update the database yourself or it only updates when you upgrade splunk
http://www.georgestarcher.com/splunk-updating-the-geoip-database/
Thank you.
Bye.
Giuseppe