The result set from the following query suggests that these proxied requests originate from three countries. But peeling back the X-Forwarded-For values, the leftmost IP address appears to provide the detail necessary for geocoding back to the actual geo origin or the requests. It would appear that the geocoding is being applied to the righthand data center IPs where the proxies reside, as opposed to the expected leftmost internet-facing IP addresses.
Is this expected? Or is there something misplaced in the query?
select geocoded_data['country'], x_forwarded_for, count(1) from webrequest where year = 2015 and month = 10 and day = 25 and hour = 1 and is_pageview = true and agent_type = 'user' and access_method = 'mobile web' and x_analytics_map['proxy'] = 'IORG' group by geocoded_data['country'], x_forwarded_for;