Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Add a geo IP attribute

You can add a Geo IP attribute to any object in your data model that already has an attribute with a Type of ipv4 in its attribute list. The ipv4 attribute must appear above the location for the Geo IP attribute, and it cannot already be in use for a different Geo IP attribute calculation.

The Geo IP attribute is a type of lookup. It reads the IP address values in your object's events and can add the related longitude, latitude, city, region, and country values to those events.

1. In the Data Model Editor, open the object you'd like to add an attribute to.

2. Click Add Attribute and select Geo IP to define a Geo IP attribute.

The "Add Geo Attributes with an IP Lookup" page opens.

3. Choose the IP attribute that you want to match, if more than one exists for the selected object.

4. Select the attributes that you want to add to your object.

5. (Optional) Rename selected attributes by changing their Display Name.

Display names cannot include asterisk characters.

6. (Optional) Click Preview to verify that the GeoIP attribute is correctly updating your events with the GeoIP attributes that you have selected.

You should see events in table format with the new GeoIP attribute(s) included as columns. For example, if you're working with an event-based object and you've selected the City, Region, and Country GeoIP attributes, the preview event table should display City, Region, and Country columns to the right of the first column ('_time).
The preview pane has two tabs. Events is the default tab. It presents the events in table format. Select the Values tab to review the distribution of GeoIP attribute values among your events.
If you're not seeing the range of values you're expecting, try increasing the preview event sample. By default this sample is set to the first thousand events. You might increase it by setting the Sample value to First 10,000 events or Last 7 days.

6.1 dm add geoip att prev.png

7. Click Save to save your changes.

You will be returned to the Data Model Editor. The Geo IP attributes that you have defined will be added to the object's set of Calculated attributes.

Note: Geo IP attributes are added to your object as required attributes, and their Type values are predetermined. You cannot change these values.

Last modified on 08 September, 2016
Add a regular expression attribute
Overview of summary-based search and pivot acceleration

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters