Splunk Cloud Platform

Knowledge Manager Manual

Add a Geo IP field

You can add a Geo IP field to any dataset in your data model that already has a field with a Type of ipv4 in its field list. The ipv4 field must appear above the location for the Geo IP field, and it cannot already be in use for a different Geo IP field calculation.

The Geo IP field is a type of lookup. It reads the IP address values in your dataset's events and can add the related longitude, latitude, city, region, and country values to those events.

  1. In the Data Model Editor, open the dataset you'd like to add a field to.
  2. Click Add Field and select Geo IP to define a Geo IP field.
    The "Add Geo Fields with an IP Lookup" page opens.
  3. Choose the IP field that you want to match, if more than one exists for the selected dataset.
  4. Select the fields that you want to add to your dataset.
  5. (Optional) Rename selected fields by changing their Display Name.
    Display names cannot include asterisk characters.
  6. (Optional) Click Preview to verify that the Geo IP field is correctly updating your events with the Geo IP fields that you have selected.
    You should see events in table format with the new Geo IP field(s) included as columns. For example, if you're working with an event-based dataset and you've selected the City, Region, and Country Geo IP fields, the preview event table should display City, Region, and Country columns to the right of the first column (_time).
    The preview pane has two tabs. Events is the default tab. It presents the events in table format. Select the Values tab to review the distribution of Geo IP field values among your events.
    If you're not seeing the range of values you're expecting, try increasing the preview event sample. By default this sample is set to the first thousand events. You might increase it by setting the Sample value to First 10,000 events or Last 7 days.
    6.1 dm add geoip att prev.png
  7. Click Save to save your changes.
    You will be returned to the Data Model Editor. The Geo IP fields that you have defined will be added to the dataset's set of Calculated fields.
    Note: Geo IP fields are added to your dataset as required fields, and their Type values are predetermined. You cannot change these values.
Last modified on 20 June, 2019
Add a regular expression field   Overview of summary-based search acceleration

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters