Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

iplocation

Description

Extracts location information from IP addresses by using 3rd-party databases. This command supports IPv4 and IPv6.

The IP address field in your events, that you specify in the ip-address-fieldname argument, is looked up in the database. Fields from that database that contain location information are added to each event. The setting used for the allfields argument determines which fields are added to the events.

Because all the information might not be available for each IP address, an event can have empty field values.

For IP addresses which do not have a location, such as internal addresses, no fields are added.

Syntax

iplocation [prefix=<string>] [allfields=<bool>] [lang=<string>] <ip-address-fieldname>

Required arguments

ip-address-fieldname
Syntax: <field>
Description: Specify an IP address field, such as clientip.

Optional arguments

allfields
Syntax: allfields=<bool>
Description: Specifies whether to add all of the fields from the database to the events. If set to true, adds the fields City, Continent, Country, lat (latitude), lon (longitude), MetroCode, Region, and Timezone.
Default: false. Only the City, Country, lat, lon, and Region fields are added to the events.
lang
Syntax: lang=<string>
Description: Render the resulting strings in different languages. For example, use "lang=es" for Spanish. The set of languages depends on the geoip database that is used. To specify more than one language, separate them with a comma. This also indicates the priority in descending order. Specify "lang=code" to return the fields as two letter ISO abbreviations.
prefix
Syntax: prefix=<string>
Description: Specify a string to prefix the field name. With this argument you can add a prefix to the added field names to avoid name collisions with existing fields. For example if you specify prefix=iploc_, the field names added to the events become iploc_City, iploc_County, iploc_lat, and so forth.
Default: NULL/empty string

Usage

The Splunk software ships with a copy of the GeoLite2-City.mmdb database file. This file is located in the $SPLUNK_HOME/share/ directory.

Updating the MMDB file

You can replace the version of the .mmdb file that ships with the Splunk software with a copy of the paid version of the file or with a monthly update of the free version of the file.

  1. From http://dev.maxmind.com/geoip/geoip2/geolite2/, download the binary gzipped version of the GeoLite2 City database file.
  2. Copy the file to the search head on your Splunk Enterprise instance.
  3. Expand the gizipped file.
  4. Copy the GeoLite2-City.mmdb file to the $SPLUNK_HOME/share/ directory to overwrite the file there.

Impact of upgrading Splunk software

When you upgrade your Splunk platform, the GeoLite2-City.mmdb file in the share directory is replaced by the version of the file that ships with the Splunk software. If you prefer to update the GeoLite2-City.mmdb file yourself, for example if you use a paid version of the file, you can store the MMDB file in a different path. The path that is used by the Splunk software to access the file must be updated. Only users with the admin role can specify a different path to the MMDB file in the limits.conf file.

  1. Open the local limits.conf file for the Search app. For example, $SPLUNK_HOME/etc/system/local.
  2. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. See How to edit a configuration file in the Admin Manual.
  3. Add the [iplocation] stanza.
  4. Add the db_path setting and specify the absolute path to the GeoLite2-City.mmdb file. The db_path setting does not support standard Splunk environment variables such as $SPLUNK_HOME.
    For example: db_path = /Applications/Splunk/mmdb/GeoLite2-City.mmdb specifies a new directory called mmdb.
  5. Ensure a copy of the MMDB file is stored in the ../Applications/Splunk/mmdb/ directory.


Alternatively, you can add the updated MMDB to the share directory using a different name and then specify that name in the db_path setting. For example: db_path = /Applications/Splunk/share/GeoLite2-City_paid.mmdb.

The MMDB file and distributed deployments

The iplocation command is a distributable streaming command, which means that it can be processed on the indexers. The share directory is not part of the knowledge bundle. If you update the MMDB file in the share directory, the updated file is not automatically sent to the indexers in a distributed deployment. To add the MMDB file to the indexers, use the tools that you typically use to push files to the indexers.

Examples

Example 1:

Add location information to web access events.

sourcetype=access_* | iplocation clientip

Example 2:

Search for client errors in web access events, add location information, and return a table of the IP address, City, and Country for each client error.

sourcetype=access_* status>=400 | head 20 | iplocation clientip | table clientip, status, City, Country

6.1 iplocation ex2.png

Example 3:

Prefix the fields added by the iplocation command with "iploc_".

sourcetype = access_* | iplocation prefix=iploc_ allfields=true clientip | fields iploc_*

This image shows the fields sidebar where the added fields in the Interesting fields list.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the iplocation command.

PREVIOUS
inputlookup
  NEXT
join

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2


Comments

Modified the search parameters, and now I can more easily visualize which type of rogue users are attempting to access the admin section of my blog<br /><br />sourcetype=iis login | top limit=20 c_ip | iplocation c_ip | table c_ip, City, Country, count

Mwisniewski9
November 21, 2014

What destination/ports do I have to have open for this to work?

Daniel333
October 13, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters