Why am I getting an error "Origin value malformed"...

jwalzerpitt · ‎02-12-2018

I found the following search utilizing the haversine app that looks for anomalous logins re: speed/distance:

| iplocation ip  
| sort _time  
| strcat lat "," lon latlon  
| streamstats current=f global=f window=1 last(latlon) as last_latlon 
| eval last_latlon=if(isnull(last_latlon), latlon, last_latlon) 
| streamstats current=f global=f window=1 last(_time) as last_ts 
| eval time_since_last = _time - last_ts 
| eval time_since_last=if(isnull(time_since_last), 0, time_since_last) 
| haversine originField=last_latlon outputField=distance units=mi latlon 
| eval speed=if(time_since_last==0, 0, (distance/(time_since_last/60/60))) 
| where speed > 500 
| strcat speed " MPH" speed 
| table username, distance, _time, time_since_last, speed, _raw

However, when I run it, I get the following error:

command="haversine", Origin value malformed. Received ',' - expected origin='x,y' as a value represented using decimal degree notation, (e.g. '-41.22,80.22').

How do I modify the line to allow the search to run

Thx

stevemaresca · ‎02-12-2018

If you place the following just before the haversine command, is the search successful? If so, last_latlon is not always present in the stream data

| search last_latlon!=","

jwalzerpitt · ‎02-12-2018

Thx - adding | search last_latlon!="," got rid of the error, but as I was digging into this a little more, I noticed that the iplocation command is not returning lat or lon for me, When I run:

index=foo
| iplocation allfields=true ip  
| sort _time
| table lat lon

I'm not seeing either field

Thx

stevemaresca · ‎02-12-2018

Once that issue is resolved, haversine should work for you. I would recommend consulting the iplocation documentation relevant for your Splunk version http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Iplocation

Make especially sure that the MDDB file is available. Note that, in a distributed environment, it is not sent to indexers by default.

jwalzerpitt · ‎02-12-2018

I have a single instance of Splunk running, but I did update the MDDB file (from 12/2017 to 02/2018) and re-ran the search | iplocation allfields=true ip | sort _time | table lat lon, but still not getting the lat or lon fields

stevemaresca · ‎02-12-2018

general troubleshooting questions that may help you proceed:
-if you remove the sort and table commands, are any iplocation-generated fields present at all?
-are any IPs truly present in the stream?
-are IPs in the stream publicly routable IPs or internal RFC1918 for which iplocation will not generate results?
-does the mddb file have appropriate permissions for the search instance to access it?

Keep in mind that any alternative to iplocation will also suffice if you find one that generates results.

jwalzerpitt · ‎02-12-2018

I found one problem in that the index I was using was having an issue in general with listing the lat/lon fields, so I used a different index.

1) For the new index, when I remove the sort and table commands, iplocation fields (including lat/lon) are poresent

2) I do see IPs in the stream / when I run the following search index=foo sourcetype=foo tag=success src_ip!=10* src_ip!=127.0.0.1 | sort - _time | iplocation src_ip | eval short_lon=round(lon, 2) | eval short_lat=round(lat, 2) | strcat short_lat "," short_lon as latlon | where isnotnull(lat) | rename _time as time | streamstats current=f global=f window=1 first(lat) as next_lat first(long) as next_long first(time) as next_time first( ip) as next_ip first(country) as next_country first(state) as next_state by user , I see IPs

3) The IPs are publicly routable (I am excluding RFC1918 IP space)

4) the mddb does have the appropriate permissions for the search instance to access it / set to -rw-rw-r--

Thx

Why am I getting an error "Origin value malformed" using Haversine command?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes