Geo lookup on "data.ip OR ip"

Follow

Mark Drummond

• September 20, 2022 12:01

Due to a change in log format, the IP addresses I want to do a geo lookup on might be stored under "data.ip" for new logs, or just "ip" for older logs. I want to do the equivalent of:

| lookup latitude, longitude, city, country_name
  from geo://location on ip=(%data.ip or ip)

Is there a way to do this?

0

• 

  Julien Bernard

  • September 20, 2022 12:15

  Dear Mark,

  The easiest may be to select which field is available first, then apply the GeoIP on the result (the field ip_merge will either contain the value of ip field if not empty, or the value of data.ip if it's empty):

  | if (IsEmpty(ip), %"data.ip", ip) as ip_merged
  | geoip ip_merged

  1

  Comment actions Permalink
• 

  Mark Drummond

  • September 21, 2022 14:08

  That worked, thanks!

  0

  Comment actions Permalink

Please sign in to leave a comment.