iplocation
Description
Extracts location information from an IP address.
info
The command creates fields in the event and populates them with IP address location information. If the database does not contain all the information, some fields may be set to null.
| Name | Description |
|---|---|
country | Country name. |
iso_code | Country code. |
subdivision | Subdivision (e.g., state, region). |
city | City. |
latitude | Latitude. |
longitude | Longitude. |
Syntax
iplocation <ip-address-fieldname>
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
ip-address-fieldname | <field> | Name of the field that contains the IP address, such as clientip. |
info
If the event does not contain the specified field, or if the field does not contain an IP address, all created fields in that event will be set to null.
Example Queries
Example №1
source server_ip
| iplocation 'ip'
Example №2
source server_ip
| rename ip as clientip
| iplocation clientip
Example №3
source server_ip
| iplocation 'ip'
| where country == "United States"
| eval location = mvappend(latitude, longitude)
Example №4
source server_ip
| iplocation 'ip'
| where country == "Russia"