Changes

Jump to navigation Jump to search

Splunk: Python Lookup (edit)

Revision as of 08:04, 15 November 2019

657 bytes added ,  08:04, 15 November 2019
m
no edit summary
Line 69: Line 69:  
from splunk_lookup import SplunkLookup
 
from splunk_lookup import SplunkLookup
 
from geoip2 import database
 
from geoip2 import database
 +
from geoip2.errors import AddressNotFoundError
 +
    
DB_PATH = '/usr/share/geoip/GeoIP2-City.mmdb'
 
DB_PATH = '/usr/share/geoip/GeoIP2-City.mmdb'
Line 104: Line 106:  
             locator = Geolocator(argument_value1)
 
             locator = Geolocator(argument_value1)
 
             return locator.location
 
             return locator.location
         except Exception as e:
+
         except (AddressNotFoundError, ValueError, TypeError):
 
             return 'Unknown'
 
             return 'Unknown'
   Line 111: Line 113:  
     SplunkLookupGeoIP()
 
     SplunkLookupGeoIP()
    +
</syntaxhighlight>Define your lookup At Splunk (Settings > Lookups > Lookup definitions)
 +
[[File:Splunk Lookup Definition.png|alt=Splunk Lookup Creation|left|frameless|800x800px|Splunk Lookup Creation]]
 +
<br />
 +
===Query Usage Example===
 +
<syntaxhighlight lang="text">
 +
sourcetype="pfsense:filterlog" host="pfsenseoperacionesinternet.rra.lan" dest_int=pppoe0 direction=inbound vendor_action=block | lookup GeoIP ipaddr as src_ip OUTPUT location | stats count by src_ip, location, dest_port, vendor_action | sort -num(count), sort num(src_ip), sort str(location), sort num(dest_port)
 
</syntaxhighlight>
 
</syntaxhighlight>
Retrieved from "https://wiki.herrerosolis.com/index.php/Special:MobileDiff/2031...2035"

Navigation menu