Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Example 2: iplocation

iplocation is a Splunk search command that determines location information from the IP addresses in your raw event data. The script, iplocation.py, searches for patterns in the raw event that matches the form of an IP address creates a field in the event for the Country and City for the IP address.

Step 1: Write the code! Here is iplocation.py:

Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.0 import sys,splunk.Intersplunk import re import urllib

LOCATION_URL = "http://api.hostip.info/get_html.php?ip="

""" This location url generates results that look like : Country: UNITED STATES (US) City: Kittanning, PA """

ipre = re.compile("\d+\.\d+\.\d+\.\d+")

results = []

try:

   results,dummyresults,settings = splunk.Intersplunk.getOrganizedResults()
   
   ipLocationCache = {}
   for r in results:
       if "_raw" in r:
           raw = r["_raw"]
           ips = ipre.findall(raw)
           i = 0
           for ip in ips:
               postfix = ""
               if( i > 0 ):
                   postfix = str(i)
                   
               r["ip" + postfix ] = ip


               lines = []
               if( ip in ipLocationCache ):
                   lines = ipLocationCache[ip]
               else:
                   location = urllib.urlopen( LOCATION_URL + ip )
                   l = location.headers['content-type'].split("charset=")
                   if len(l) == 2:
                     encoding = l[1]
                   else:
                     encoding = "iso-8859-1" # default
                   lines = location.readlines()
                   lines = map(lambda l: unicode(l, encoding), lines)
                   ipLocationCache[ip] = lines
               
               
               for l in lines:
                   if l:
                       colPos  = l.find(":")
                       if( colPos != -1 ):
                           r[l[:colPos] + postfix ] = l[colPos+1:].strip()                        
               
               i = i + 1
               

except:

   import traceback
   stack =  traceback.format_exc()
   results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))

splunk.Intersplunk.outputResults( results )

Step 2: Tell Splunk about this command in commands.conf

[iplocation]
filename = iplocation.py


Run it!

For example, use it to see the location of the IP addresses that are served client errors for their Web access requests:

host=webserver status=404 | iplocation

The iplocation command adds new fields to your events, City and Country. After you run the command, use the Fields menu to add these fields to your events or run it through another command, such as table, to display the fields you want to see:

host=webserver status=404 | iplocation | table clientip, uri, City, Country

PREVIOUS
Example 1: shape
  NEXT
Externalized search errors

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters