Hi at all,
I have a strange behaviour in iplocation:
- I'm migrating some apps and indexes from an old infrastructure to a new one;
- I checked differences in data and I have the same events in both the Indexes (old and new);
- looking at geolocalization I found differences in one event;
- I run the searches:
- the first on the old server from the new one (the new one is configured as search head and the old one is configured as search peer),
- the new on the local indexes of the new server;
- the same event present in both the indexes (old and new) has the same Ip_Source in boith the indexes but has different lat and lon fields from iplocation command in the two indexes.
Above there are the two version of event (it's the same _raw with different metadata) with interesting fields
30/08/17 09.56.00,000
2017-08-30 09:56:00.000, Data_Apertura="2017-08-30 09:56:00.0", Matricola="XXXXX", Cognome="XXXXX", SubArea="XX. Short_Message", Desc_lunga="Long_Message", Severity="Medium", Provenienza_Segnalazione="XXXXX", id="XXX", Ip_Source="xx.xxx.xx.x", Status="Chiuso"
• Ip_Source = xx.xxx.xx.x
• host = host1
• index = index1
• lat = 33.81810
• lon = -84.36040
• source = source1
• sourcetype = sourcetype1
30/08/17 09.56.00,000
2017-08-30 09:56:00.000, Data_Apertura="2017-08-30 09:56:00.0", Matricola="XXXXX", Cognome="XXXXX", SubArea="XX. Short_Message", Desc_lunga="Long_Message", Severity="Medium", Provenienza_Segnalazione="XXXXX", id="XXX", Ip_Source="xx.xxx.xx.x", Status="Chiuso"
• Ip_Source = xx.xxx.xx.x
• host = host2
• index = index2
• lat = 38.00000
• lon = -97.00000
• source = source2
• sourcetype = sourcetype2
Is it possible that different servers (with different versions of Splunk) return different lat and lon values after iplocation command?
iplocation command uses a lookup located on the server where the run is executed or on the indexers?
Bye.
Giuseppe
↧