Add a geo IP field
You can add a Geo IP field to any dataset in your data model that already has a field with a Type of ipv4 in its field list. The ipv4 field must appear above the location for the Geo IP field, and it cannot already be in use for a different Geo IP field calculation.
The Geo IP field is a type of lookup. It reads the IP address values in your dataset's events and can add the related longitude, latitude, city, region, and country values to those events.
- In the Data Model Editor, open the dataset you'd like to add a field to.
- Click Add Field and select Geo IP to define a Geo IP field.
- The "Add Geo Fields with an IP Lookup" page opens.
- Choose the IP field that you want to match, if more than one exists for the selected dataset.
- Select the fields that you want to add to your dataset.
- (Optional) Rename selected fields by changing their Display Name.
- Display names cannot include asterisk characters.
- (Optional) Click Preview to verify that the GeoIP field is correctly updating your events with the GeoIP fields that you have selected.
- You should see events in table format with the new GeoIP field(s) included as columns. For example, if you're working with an event-based dataset and you've selected the City, Region, and Country GeoIP fields, the preview event table should display City, Region, and Country columns to the right of the first column (_time).
- The preview pane has two tabs. Events is the default tab. It presents the events in table format. Select the Values tab to review the distribution of GeoIP field values among your events.
- If you're not seeing the range of values you're expecting, try increasing the preview event sample. By default this sample is set to the first thousand events. You might increase it by setting the Sample value to First 10,000 events or Last 7 days.
- Click Save to save your changes.
- You will be returned to the Data Model Editor. The Geo IP fields that you have defined will be added to the dataset's set of Calculated fields.
Add a regular expression field
Overview of summary-based search acceleration
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1