Only raw logs. Splunk resolves IP to Country/Region/City (and geo coordinates if wanted to map these).
Mostly playing with raw logs and then even RAW-er logs using Splunk Stream (thing that switches network interface in promiscuous mode and gives me all data for all protocols and any context I ever want).
For example I can analyze anomalies in web hits and anomalies in web session to discover new, previously unknown traffic sources and patterns.
It helped to discover 2 new classes of cyberattacks I didn't know were targeting my server.
Do you pull any info regarding the IP addresses, or is it only the raw logs that you're going through?