Skip to Content


$geo (parse-spec) function

Similar to the preceding $ipaddr() function, except that the two-letter country code for the IPv4 portion of the word given by parse-spec is returned. If the parse-spec value does not return an IP address, the match specification is not matched. This function is especially useful in a nested specification. (See further section.)

Target String

Parse Expression

Return Value

src: 192.168.1.1 dest: 10.1.1.2

 

$geo ($2)

ZZ

Warning

Note

The ZZ country code indicates that 192.168.1.1 is a local address.

address target: 1.2.1.1:88 logged

 

 

$geo ($extip())

CN

Warning

Note

The 1.2.1.1 address is located in China. The $extip() function returns the IP address from the message.

dropped=66.2.3.45

 

$geo (dropped=*)

US

Warning

Note

The 66.2.3.45 address is located in the USA.

Test 123

$geo ($2)

No match. The second word of the target string is not an IP address.

Test 192.1.1.1 value

$geo (xxx: *)

No match. There is no match for XXX: * in the target string.

Related topic

Parse-expressions


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 5.9