All Apps and Add-ons

Missile map show strange location

dannili
Communicator

Hi all, I'm using the Missile map to visualize several IP locations but the result has a weird place: It shows there's a bunch of IP addresses near Africa but I'm pretty sure there's no place near Africa in my case. Cuz when I use ..|iplocation FromIPAddr | geostats count by Country to test there's no way near Africa. But now it looks like this:

alt text

Now I have two possible guess:
1. The place is not exactly a country so when I used above command to search it's not included.
2. It's the bridge IP.(But I'm sure no bridge IP would be included in raw data)

So how do I identify it?Thanks!

0 Karma
1 Solution

luke_monahan
Path Finder

The geographical point in your screenshot is 0,0.

My guess is that some IP addresses with undetermined locations are being put there. You may have to take some steps in your query to exclude or otherwise deal with such addresses.

If your Splunk is not up-to-date then also consider updating the iplocation database separately to get better geo resolution of addresses. You can download the latest db from https://dev.maxmind.com/geoip/geoip2/geolite2/ and point to it in your limits.conf.

View solution in original post

luke_monahan
Path Finder

The geographical point in your screenshot is 0,0.

My guess is that some IP addresses with undetermined locations are being put there. You may have to take some steps in your query to exclude or otherwise deal with such addresses.

If your Splunk is not up-to-date then also consider updating the iplocation database separately to get better geo resolution of addresses. You can download the latest db from https://dev.maxmind.com/geoip/geoip2/geolite2/ and point to it in your limits.conf.

dannili
Communicator

Thank u for your quick response! btw, could u please tell me how you know the geographical point? And if this IP address is not identified, how do I exclude it from the string?

0 Karma

luke_monahan
Path Finder

The geographical point is from the Maxmind database, which is updated relatively frequently with the geographical locations of all known IP ranges. The free version is bundled with Splunk, but you may need to update it yourself if you are not updating Splunk regularly.

There's a fairly good description in the iplocation command reference: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Iplocation

To completely exclude a non-mappable IP I typically just exclude anything that did not get a "Country" field. e.g.:

<search> | iplocation src_ip | search NOT Country=* | ...

Or something similar.

0 Karma

dannili
Communicator

Thank you for your detailed explanation!

0 Karma

MuS
SplunkTrust
SplunkTrust

Also, your IP's address need to be public ones to be able to use iplocation otherwise you need to create a lookup for your private ranges and use the lookup like in this answer https://answers.splunk.com/answers/616913/how-can-i-use-geolocation-of-a-private-ip-space.html

cheers, MuS

0 Karma

dannili
Communicator

Yes you are right! I used several IP location tools to check input IP but only this one cannot be identified because of "private IP". THANKS A LOT!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...