Search Reference





Extracts location information from IP addresses using 3rd-party databases.


iplocation [prefix=<string>] [allfields=<bool>] [lang=<string>] <ip-address-fieldname>

Required arguments

Syntax: <field>
Description: Specify an IP address field, such as clientip.

Optional arguments

Syntax: allfields=<bool>
Description: If true, adds the fields: City, Continent, Country, Region, MetroCode, Timezone, lat (latitude), and lon (longitude). Defaults to false, which means that only the Country, City, Region, lat, and lon fields are added.
Syntax: lang=<string>
Description: Render the resulting strings in different languages. For example, use "lang=es" for Spanish. The set of languages depends on the geoip database that is used. To specify more than one language, separate them with a comma. This will also indicate the priority in descending order. Specify, "lang=code" to return the fields as two letter ISO abbreviations.
Syntax: prefix=<string>
Description: Specify a string to prefix the field name. This lets you qualify the added field names to avoid name collisions with existing fields. Defaults to NULL/empty string.


The IP address field, specified in ip-address-fieldname, is looked up in a database and location fields information is added to the event. The fields are City, Continent, Country, Region, MetroCode, Timezone, lat (latitude), and lon (longitude). Because all the information may not be available for each IP address, an event can have empty fields.

For IP addresses which do not have a location, such as internal addresses, no fields will be added.


Example 1: Add location information to web access events.

sourcetype=access_* | iplocation clientip

Example 2: Search for client errors in web access events, add location information, and return a table of the IP address, City and Country for each client error.

sourcetype=access_* status>=400 | head 20 | iplocation clientip | table clientip, status, City, Country

6.1 iplocation ex2.png

Example 3: Prefix the added fields with "iploc_".

sourcetype = access_* | iplocation prefix=iploc_ allfields=true clientip | fields iploc_*

6.1 iplocation ex3.png


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the iplocation command.

This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.2.0 , 6.2.1 , 6.2.2 View the Article History for its revisions.


Modified the search parameters, and now I can more easily visualize which type of rogue users are attempting to access the admin section of my blog<br /><br />sourcetype=iis login | top limit=20 c_ip | iplocation c_ip | table c_ip, City, Country, count

November 21, 2014

What destination/ports do I have to have open for this to work?

October 13, 2014

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!