Skip to content
Article

How To Use The Splunk iplocation Command (+ Expert Tips)

 

Splunk is full of hidden gems. One of those gems is the Splunk Search Command: iplocation. By utilizing particular database files, iplocation can add geolocation information to the IP address values within your data. If you are ingesting data that contains an external IP address field, such as web storefront or VPN access, we can find location information such as country, city, and region to which the IP address belongs to. 

In this post, we’ll cover how to use the iplocation command in Splunk and some helpful tips you’ll need aling the way.

How To Use the iplocation Command in Splunk

|iplocation <ip_field>

Step 1: Type the iplocation command into your search bar.

|iplocation

Here is sample data that was ingested containing external IP’s under the field name clientip.

Figure 1 - iplocation sample data
Figure 1 – iplocation sample data

Step 2: Add the field that you want to use.

In this example, we’re using clientIp because these are the IP addresses we want to use the command for.

|iplocation <clientIp>
Figure 2 - Add clientip to your search
Figure 2 – Add clientip to your search

Splunk Tip: The iplocation command is false by default. When you add true to the search, it adds a few more fields to the columns.

New call-to-action

Step 3: Run a command using the fields that are present in the iplocation search.

If we look at our interesting fields, we’ll see some new additions.

Figure 3 - Review your interesting fields
Figure 3 – Review your interesting fields

Here, we can see city and country as fields within the iplocation command. So, we can use another command like the stats or table command to retrieve more information about the fields within the iplocation command.

Now that geolocation fields have been added to your fields list, add them to your search.

Figure 4 - Add geolocation fields to your search
Figure 4 – Add geolocation fields to your search

Splunk Tip: When using iplocation, the addresses must be external. Internal addresses may cause the command to work incorrectly.

iplocation Results 

Figure 5 - iplocation results
Figure 5 – iplocation results

There you have it. As you can see, we have successfully added geographical information to our ip addresses. By using this Splunk search command, you can use this information and build heatmaps and cluster map dashboards to visualize activity around the globe.

If you found this helpful…

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.

New call-to-action