Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Googlemaps local IP lookups for geoip and populating _geo

rblair978
Explorer
‎05-11-2012 08:00 AM

I have the GoogleMaps app and MAXMIND installed.

I have a stream of syslog data that I am extracting a Field named SourceIP. I want to do geo ip lookups on these host addresses. Unfortunately for now in the lab configuration, I'm using all 10.x.y.z address space.

I need to do a local lookup for my 10.x.y.z nodes with a /32 mask. I created a local_ip.csv file and put the client IP, lat, lon into it as quoted comma delimited values.

My transfomrs.conf is as follows:

[dcfw_extract]
REGEX = (\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)\s(\S+)(.*)
FORMAT = DATE::$1 TIME::$2 DeviceID::$3 Facilty::$4 RuleID::$5 MessageID::$6 Action::$7 Protocol::$8 SourceIP::$9 SourcePort::$10 DestinationIP::$11 DestinationPort::$12 VirtualSvc::$13 SnatIP::$14 Comment::$15

[local_ip]
filename = local_ip.csv
max_matches = 1
min_matches = 1
match_type = CIDR(SourceIP)

I created a local_ip.csv file and it is located in ....\Splunk\etc\apps\maps\lookups. This file contains 5 host IPs I'm trying to match on to get the lat/lon values.

"clientip","client_lat","client_lon"
"10.2.5.201/32","74.00","42.00"
"10.1.1.101/32","75.00","43.00"
"10.2.1.101/32","76.00","44.00"
"10.3.1.102/32","77.00","45.00"
"10.4.1.201/32","78.00","46.00"

I've tried different field names ie latitude and longitude. Quoted values non-quoted. I saw an example that Will posted showing the .csv file was quoted in his example.

My View XML lineitem is as follows:

<param name="search">SourceIP=* | lookup local_ip.csv clientip as SourceIP| geoip SourceIP</param>

With this call the map does not report syntax errors. As I watch it loading and building the preview it flashes up an Error Loading on the upper left hand corner of the map.

I override the lookup with an
eval _geo="72.00,44.00" | geoip SourceIP and it renders my data counts.

I'm havng a hard time tracking down why my lookup doesn't get the fields for lat / lon.
If I try and do a lookup with: geoip clientip as SourceIP I get a file not found error. Because I do not have a geoip.csv file: Should I?

I've been through a lot of the online help already. I can't seem to narrow this down to a root cause.

Thanks in advance for any help you may be able to provide.

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎12-18-2013 01:29 PM

I think your issue is your match:

[local_ip]
filename = local_ip.csv
max_matches = 1
min_matches = 1
match_type = CIDR(clientip)

As the field in the lookup is called clientip.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...