The Geo Location Lookup Script is a lookup script used to provide geolocation information for IP addresses. Looking at the documentation, we see this example:
eventtype=firewall_event | lookup geoip clientip as src_ip
You can find the documentation for any Splunkbase app by searching for it at https://splunkbase.com, or by clicking on View details on Splunk apps (next to any installed app), clicking on Apps, and viewing the Apps page.
Let's go through the arguments of the lookup command:
- geoip: This is the name of the lookup provided by Geo Location Lookup Script. You can see the available lookups by going to Settings | Lookups | Lookup definitions.
- clientip: This is the name of the field in the lookup that we are matching against.
- as src_ip: This says to use the value of src_ip to populate the field before it, in this case, clientip. I personally find this wording confusing. In my mind, I read this as using instead of as.
Included in the ImplementingSplunkDataGenerator app (available at http://packtpub.com/support) is a sourcetype instance named impl_splunk_ips, which looks like this:
2012-05-26T18:23:44 ip=64.134.155.137
The IP addresses in this fictitious log are from one of my websites. Let's see some information about these addresses:
sourcetype="impl_splunk_ips" | lookup geoip clientip AS ip | top
client_country
This gives us a table similar to the one shown in the following screenshot (note that after running the command, new fields are added, such as client_country):
That's interesting. I wonder who is visiting my site from Slovenia.