Can I use iplocation with an ip address I get from a dbxquery?
Looking at your search again, I see that you have multiple typos in there.
It should be | iplocation remoteaddr instead of |iplocation = remotaddr (no equals sign and properly spelled field name).
I just tried this and it works just fine:
| makeresults | eval remoteaddr="50.26.126.246" | iplocation remoteaddr | geostats latfield=lat longfield=lon
Please ensure you are using the correct syntax and try again.
I got this working, the remoteaddr field is case sensitive so it worked after I use REMOTEADDR
🙂
Thanks for providing the update!
Yes, all Splunk field names are case-sensitive, field values are not.
BTW, geostats does not create latitude and longitude, it requires it as input args. Which is why you should see a lat and long field after running iplocation successfully.
Can you test using dbxquery? I get the same results with the "iplocation remoteaddr" syntax. I get nearly 12k worth of stats but no latitude or longitude when I add "| geostats latfield=lat longfield=lon"
Yes. As long as you have a field that contains an ip address, I see no reason why we care where it came from.
iplocation does work by itself but not with geostats
Share your search example and/or screenshot?
Do you have latitude/longitude fields in your events after using iplocation?
I don't have the lat/lon fields in my events and I can't attach a screenshot so here is my search:
|dbxquery connection=db.connection query="select remoteaddr from table" shortnames = t
|iplocation = remotaddr
|geostats latfield=lat longfield=lon globallimit=0
No results found.
Do you get any events without specifying the | geostats command and do those events have the fields "lat" and "lon" that you specified for geostats?
I get stats without specifying the geostats command
and do those events have the fields "lat" and "lon" that you specified for geostats?