All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use iplocation with an ip address I get from a dbxquery?

jhdietz
New Member
‎07-11-2017 11:39 AM

Can I use iplocation with an ip address I get from a dbxquery?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 01:34 PM

Looking at your search again, I see that you have multiple typos in there.
It should be | iplocation remoteaddr instead of |iplocation = remotaddr (no equals sign and properly spelled field name).

I just tried this and it works just fine:

| makeresults | eval remoteaddr="50.26.126.246" | iplocation remoteaddr | geostats latfield=lat longfield=lon

Please ensure you are using the correct syntax and try again.

0 Karma
Reply

jhdietz
New Member
‎07-12-2017 08:46 AM

I got this working, the remoteaddr field is case sensitive so it worked after I use REMOTEADDR

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-12-2017 04:01 PM

🙂
Thanks for providing the update!

Yes, all Splunk field names are case-sensitive, field values are not.

BTW, geostats does not create latitude and longitude, it requires it as input args. Which is why you should see a lat and long field after running iplocation successfully.

0 Karma
Reply

jhdietz
New Member
‎07-12-2017 04:16 AM

Can you test using dbxquery? I get the same results with the "iplocation remoteaddr" syntax. I get nearly 12k worth of stats but no latitude or longitude when I add "| geostats latfield=lat longfield=lon"

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 11:49 AM

Yes. As long as you have a field that contains an ip address, I see no reason why we care where it came from.

0 Karma
Reply

jhdietz
New Member
‎07-11-2017 12:14 PM

iplocation does work by itself but not with geostats

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 12:23 PM

Share your search example and/or screenshot?
Do you have latitude/longitude fields in your events after using iplocation?

0 Karma
Reply

jhdietz
New Member
‎07-11-2017 12:52 PM

I don't have the lat/lon fields in my events and I can't attach a screenshot so here is my search:

|dbxquery connection=db.connection query="select remoteaddr from table" shortnames = t
|iplocation = remotaddr
|geostats latfield=lat longfield=lon globallimit=0

No results found.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 01:05 PM

Do you get any events without specifying the | geostats command and do those events have the fields "lat" and "lon" that you specified for geostats?

0 Karma
Reply

jhdietz
New Member
‎07-11-2017 01:08 PM

I get stats without specifying the geostats command

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎07-11-2017 01:27 PM

and do those events have the fields "lat" and "lon" that you specified for geostats?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...