what are the query to use by lookup an IP informat... - Splunk Community

Splunk Search

what are the query to use by lookup an IP information like country only for source_IP and destination_IP in your search?

ex:

index =xxxx action=allowed severity=* src-ip=* dest-ip=* |table host, signature,src-ip, dest-ip, action, severity

Q/ in the above query, what are the query i can use to fetch src-ip country name and dest-ip country name

Thank you in advance!

You want the iplocation command (https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Iplocation).

index =xxxx action=allowed severity= src_ip= dest_ip=* 
| iplookup src_ip 
| rename country as src_country 
| iplookup dest_ip 
| rename country as dest_country 
| table host, signature,src_ip, src_country,dest_ip, dest_country, action, severity

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...