Splunk is full of hidden gems. One of those gems is the Splunk Search Command: iplocation. By utilizing particular database files, iplocation can add geolocation- information to ip address values in your data. If you are ingesting data that contains an external ip address field, such as web storefront, VPN access, or what have you, we can find the location such as country, city, and region that ip address belongs to.
Let’s look take a look at iplocation…
How To Use iplocation
Pretty simple stuff, so long as your ip field is an external ip address. Here is sample data that was ingested containing external ip’s under the field name clientip.
Next, add |iplocation clientip to our search.
If we look at our interesting fields, we’ll see some new additions.
NOTE: Region is also added but it was too far down the list.
Now that geolocation fields have been added to your fields list, add them to your search.
There you have it. As you can see, we have successfully added geographical information to our ip addresses. By using this Splunk search command, you can use this information and build heatmaps and cluster map dashboards to visualize activity around the globe.
Ask the Experts
Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!