Help Center Logpoint Docs Idea Portal Logpoint.com
Question

Using geoip at drilldown

  • 22 October 2021
  • 1 reply
  • 82 views
H
Userlevel 1

Hi,

at 

https://servicedesk.logpoint.com/hc/en-us/community/posts/360008777778-How-To-video-Using-GeoIP-with-LogPoint 

Kalyan Bhetwal provided the following query:

norm_id=*  destination_address=* -destination_address in HOMENET  | chart count() by destination_address, country order by count() desc limit 10 | process geoip(destination_address) as country

 

To my comment “With the ‘new’ query it's not possible to make a drill down.” he wrote:

We will have a new feature in upcoming version of logpoint where the geoip used after chart count() will also be present in drilldown. This will solve the drilldown problem.

 

What about the new feature? At the moment, it’s still not possible to make a drill down.

I use Logpiont 6.12.1.

Best regards,

Hans Vedder

1 reply

Rupsan Shrestha
Rank
Userlevel 2
Badge +3

Hello Hans,

This feature is still in the pipeline as there seems to be a simple workaround for this use case. We can apply a static enrichment on the incoming logs by using “GeoIp_source_address” enrichment source.

However, this may not work for mapping the destination address traffic as the enrichment source matches the “source_address” not the “destination_address”

We cannot drill down right now as the logs are enriched only at the time of the search lookup when process command is used. This information will not persist in the actual logs if static enrichment is not configured.

 

We will update regarding this use case once this feature is available through dynamic enrichment.

Best Regards, Rupsan

Reply


Terms & ConditionsCookie settings