- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I use Geolocation of a private IP spac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to use the geostats feature but how do I do so on a private WAN and the syslog does not have Lat Long fields/raw data? I have an eval that assigns a city to an address space, is there a way to tack onto this eval/lookup a way to plug in Lat and Long? I don't mind having to manually input the Lat Long in the .csv, but I don't know how to make splunk read those fields in the lookup table and output the map with location.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well you can setup a lookup table that has all the subnets and necessary info like:
IPv4Address SubnetMask City lat lon
203.25.11.0/24 255.255.255.0 CityXYZ xxxx yyyy
Now create a lookup definition, say resolveIP, based on that .csv and add
CIDR(IPv4Address) in the field "Match Type"
in your search for map chart
...your search | lookup resolveIP IPv4Address OUTPUT City lat lon | geostats maxzoomlevel=18 globallimit=0 count by City
Hope that will help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well you can setup a lookup table that has all the subnets and necessary info like:
IPv4Address SubnetMask City lat lon
203.25.11.0/24 255.255.255.0 CityXYZ xxxx yyyy
Now create a lookup definition, say resolveIP, based on that .csv and add
CIDR(IPv4Address) in the field "Match Type"
in your search for map chart
...your search | lookup resolveIP IPv4Address OUTPUT City lat lon | geostats maxzoomlevel=18 globallimit=0 count by City
Hope that will help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@nabeel652, as a search optimization you should perform stats first... then lookup and finally geostats. This way data enrichment happens for aggregated field rather than all events.
<BaseSearch>
| stats count by IPv4Address
| lookup resolveIP IPv4Address OUTPUT City lat lon
| geostats maxzoomlevel=18 globallimit=0 sum(count) by City
Refer to documentation for this search optimization: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Geostats#Usage
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay
You’re right but that’s not what we’re focusing here. It may come under
...your search |
That I mentioned before the search. Anyway thanks for pointing out 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right, because the lookup command would function as the iplocation one..
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
