Splunk app (Geo Location Lookup Script (powered by MAXMIND)) & splunk sdk different results

StackOverflow https://stackoverflow.com/questions/17345390

  •  01-06-2022
  •  | 
  •  

Question

I get a strange behaviour using "Geo Location Lookup Script (powered by MAXMIND)" app for splunk and java splunk SDK, I suppose I'm missing something but I can't find any solution on the Internet.

When I'm launching my search via my local splunk server, I get the correct answer with this fields :

  • client_country
  • client_lat
  • client_lon

But when I'm sending the same request using my own application, I did not have any of these fields.

Here is my request sent :

* | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip

Here is my code application :

def connectionParameters = [host: 'host', username: 'user' ,password: 'pass']
        Service service = Service.connect(connectionParameters)

        String mySearch = 'search * | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip'
        JobArgs jobargs = new JobArgs();
        jobargs.setExecutionMode(JobArgs.ExecutionMode.BLOCKING);
        Job job = service.getJobs().create(mySearch, jobargs);

        // Specify JSON as the output mode for results
        JobResultsArgs resultsArgs = new JobResultsArgs();
        resultsArgs.setOutputMode(JobResultsArgs.OutputMode.JSON);

        // Display results in JSON using ResultsReaderJson
        InputStream results = job.getResults(resultsArgs);
        ResultsReaderJson resultsReader = new ResultsReaderJson(results);
        def event
        while (event = resultsReader.getNextEvent()) {
            for (String key: event.keySet()) {
                System.out.println("   " + key + ":  " + event.get(key));
            }
        }
        resultsReader.close();

On the console output, I get this :

   _sourcetype:  access_combined_wcookie
   index:  main
   host:  127.0.0.1
   _cd:  0:347390
   _serial:  99
   _si:  Snite
main
   splunk_server:  Snite
   linecount:  1
   _indextime:  1371115534
   source:  Sampledata.zip:.\apache2.splunk.com/access_combined.log
   _raw:  10.2.91.40 - - [12/Jun/2013:23:37:44] "GET /flower_store/category.screen?category_id=GIFTS
 HTTP/1.1" 200 10567 "http://mystore.splunk.com/flower_store/cart.do?action=purchase&itemId=EST-26&J
SESSIONID=SD5SL10FF8ADFF3" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 Cent
OS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 1347 2752
   _kv:  1
   sourcetype:  access_combined_wcookie
   _bkt:  main~0~4A7411B3-FDE3-4CE1-8118-E7D35D2F6C72
   _time:  2013-06-12T23:37:44.000+02:00

What am I missing ?

Snite

Was it helpful?

Solution

I find the solution reading this topic.

So here is my final request :

search * | rex field=_raw "(?<clientip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip OUTPUT client_lat as lat client_lon as lon | table lat lon

the OUTPUT part seem to indicate which fields extract, and the table part put specifics fields on the response (only theses fields).

Here is my response (formatted into my controller) :

[[lon:2.0, lat:46.0], [lon:2.0, lat:46.0], [lon:2.0, lat:46.0], [lon:2.0, lat:46.0], [lon:-116.6167,
 lat:31.8667], [lon:-116.6167, lat:31.8667], [lon:-116.6167, lat:31.8667], [lon:-116.6167, lat:31.86
67]]
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top