A Splunk admin wants to enrich web server logs with geographic location data based on IP addresses. Which approach should they use?
lookup command enriches data with external sources like GeoIP.
Why this answer
Option A is correct because Splunk's lookup command, combined with a lookup definition that references a geographic IP-to-location database (such as MaxMind GeoLite2), allows the admin to enrich web server logs with fields like city, country, and coordinates based on the client IP address. This is the standard, efficient approach for IP geolocation enrichment in Splunk, as it leverages pre-built external data without requiring custom parsing or calculations.
Exam trap
The trap here is that candidates often confuse the purpose of the rex command (extraction) with enrichment, or assume that IP addresses contain embedded geographic data that can be parsed with regex, when in reality IP geolocation requires an external mapping database accessed via a lookup.
How to eliminate wrong answers
Option B is wrong because the rex command is used for extracting data from raw event text using regular expressions, not for performing IP geolocation lookups; IP addresses do not inherently contain geographic information in their string representation. Option C is wrong because the eval command can perform calculations and string manipulations but cannot derive geographic coordinates from an IP address without an external lookup or service, as IP geolocation requires a database mapping IP ranges to locations. Option D is wrong because the fields command is used to include or exclude specific fields from search results, not to add new data from external sources; it cannot enrich events with geographic location data.