Add a geo IP attribute
You can add a Geo IP attribute to any object in your data model that already has an attribute with a Type of ipv4 in its attribute list. The ipv4 attribute must appear above the location for the Geo IP attribute, and it cannot already be in use for a different Geo IP attribute calculation.
The Geo IP attribute is a type of lookup. It reads the IP address values in your object's events and can add the related longitude, latitude, city, region, and country values to those events.
1. In the Data Model Editor, open the object you'd like to add an attribute to.
2. Click Add Attribute and select Geo IP to define a Geo IP attribute.
- The "Add Geo Attributes with an IP Lookup" page opens.
3. Choose the IP attribute that you want to match, if more than one exists for the selected object.
4. Select the attributes that you want to add to your object.
5. (Optional) Rename selected attributes by changing their Display Name.
- Display names cannot include asterisk characters.
6. (Optional) Click Preview to verify that the GeoIP attribute is correctly updating your events with the GeoIP attributes that you have selected.
- You should see events in table format with the new GeoIP attribute(s) included as columns. For example, if you're working with an event-based object and you've selected the City, Region, and Country GeoIP attributes, the preview event table should display City, Region, and Country columns to the right of the first column ('_time).
- The preview pane has two tabs. Events is the default tab. It presents the events in table format. Select the Values tab to review the distribution of GeoIP attribute values among your events.
- If you're not seeing the range of values you're expecting, try increasing the preview event sample. By default this sample is set to the first thousand events. You might increase it by setting the Sample value to First 10,000 events or Last 7 days.
7. Click Save to save your changes.
- You will be returned to the Data Model Editor. The Geo IP attributes that you have defined will be added to the object's set of Calculated attributes.
Note: Geo IP attributes are added to your object as required attributes, and their Type values are predetermined. You cannot change these values.
Add a regular expression attribute
Overview of summary-based search and pivot acceleration
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11