Databases Reference
In-Depth Information
You can see the available lookups by going to
Manager
|
Lookups
|
Lookup definitions
.
•
clientip
: This is the name of the field in the lookup that we are
matching against.
•
as src_ip
: This says to use the value of
src_ip
to populate the field
before it; in this case,
clientip
. I personally find this wording confusing.
In my mind, I read this as "using" instead of "as".
Included in the
ImplementingSplunkDataGenerator
app (available at
http://packtpub.com/
) is a
sourcetype
instance named
impl_splunk_ips
,
which looks like this:
2012-05-26T18:23:44 ip=64.134.155.137
The IP addresses in this fictitious log are from one of my websites. Let's see some
information about these addresses:
sourcetype="impl_splunk_ips"
| lookup geoip clientip AS ip
| top client_country
This gives us a table similar to the one shown in the following screenshot:
That's interesting. I wonder who is visiting my site from Slovenia!
Search WWH ::
Custom Search