Splunk Enterprise

Search Reference

Download manual as PDF



Extracts location information from IP addresses by using 3rd-party databases. Supports IPv4 and IPv6.

The IP address field, specified in ip-address-fieldname, is looked up in a database. Location fields information is added to the event. The fields are City, Continent, Country, Region, MetroCode, Timezone, lat (latitude), and lon (longitude). Because all the information might not be available for each IP address, an event can have empty fields.

For IP addresses which do not have a location, such as internal addresses, no fields are added.


iplocation [prefix=<string>] [allfields=<bool>] [lang=<string>] <ip-address-fieldname>

Required arguments

Syntax: <field>
Description: Specify an IP address field, such as clientip.

Optional arguments

Syntax: allfields=<bool>
Description: If true, adds the fields City, Continent, Country, Region, MetroCode, Timezone, lat (latitude), and lon (longitude).
Default: false, meaning only the Country, City, Region, lat, and lon fields are added
Syntax: lang=<string>
Description: Render the resulting strings in different languages. For example, use "lang=es" for Spanish. The set of languages depends on the geoip database that is used. To specify more than one language, separate them with a comma. This also indicates the priority in descending order. Specify "lang=code" to return the fields as two letter ISO abbreviations.
Syntax: prefix=<string>
Description: Specify a string to prefix the field name. This lets you qualify the added field names to avoid name collisions with existing fields.
Default: NULL/empty string


Example 1:

Add location information to web access events.

sourcetype=access_* | iplocation clientip

Example 2:

Search for client errors in web access events, add location information, and return a table of the IP address, City, and Country for each client error.

sourcetype=access_* status>=400 | head 20 | iplocation clientip | table clientip, status, City, Country

6.1 iplocation ex2.png

Example 3:

Prefix the added fields with "iploc_".

sourcetype = access_* | iplocation prefix=iploc_ allfields=true clientip | fields iploc_*

6.1 iplocation ex3.png


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the iplocation command.


This documentation applies to the following versions of Splunk: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.3.0 View the Article History for its revisions.


Modified the search parameters, and now I can more easily visualize which type of rogue users are attempting to access the admin section of my blog<br /><br />sourcetype=iis login | top limit=20 c_ip | iplocation c_ip | table c_ip, City, Country, count

November 21, 2014

What destination/ports do I have to have open for this to work?

October 13, 2014

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters