Documentation > Splunk > Search Reference > Example 2: iplocation

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

Example 2: iplocation

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Example 2: iplocation

iplocation is a Splunk search command that determines location information from the IP addresses in your raw event data. The script, iplocation.py, searches for patterns in the raw event that matches the form of an IP address creates a field in the event for the Country and City for the IP address.

Step 1: Write the code! Here is iplocation.py:

Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.0 import sys,splunk.Intersplunk import re import urllib

LOCATION_URL = "http://api.hostip.info/get_html.php?ip="

""" This location url generates results that look like : Country: UNITED STATES (US) City: Kittanning, PA """

ipre = re.compile("\d+\.\d+\.\d+\.\d+")

results = []

try: 

   results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
   
   ipLocationCache = {}

   for r in results:
       if "_raw" in r:
           raw = r["_raw"]
           ips = ipre.findall(raw)
           i = 0
           for ip in ips:
               postfix = ""
               if( i > 0 ):
                   postfix = str(i)
                   
               r["ip" + postfix ] = ip



               lines = []
               if( ip in ipLocationCache ):
                   lines = ipLocationCache[ip]
               else:
                   location = urllib.urlopen( LOCATION_URL + ip )
                   l = location.headers['content-type'].split("charset=")
                   if len(l) == 2:
                     encoding = l[1]
                   else:
                     encoding = "iso-8859-1" # default
                   lines = location.readlines()
                   lines = map(lambda l: unicode(l, encoding), lines)
                   ipLocationCache[ip] = lines
               
               
               for l in lines:
                   if l:
                       colPos  = l.find(":")
                       if( colPos != -1 ):
                           r[l[:colPos] + postfix ] = l[colPos+1:].strip()                        
               
               i = i + 1

except: 

   import traceback
   stack =  traceback.format_exc()
   results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

Step 2: Tell Splunk about this command in commands.conf

[iplocation]
filename = iplocation.py


Run it!

For example, use it to see the location of the IP addresses that are served client errors for their Web access requests:

host=webserver status=404 | iplocation

The iplocation command adds new fields to your events, City and Country. After you run the command, use the Fields menu to add these fields to your events or run it through another command, such as table, to display the fields you want to see:

host=webserver status=404 | iplocation | table clientip, uri, City, Country
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Customsearchiplocation"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!