iplocation
Description
Extracts location information from an IP address.
The command creates fields in the event and populates them with IP address location information. If the database does not contain all the information, some fields may be set to null.
| Name | Description |
|---|---|
country | Country name. |
iso_code | Country code. |
subdivision | Subdivision (e.g., state, region). |
city | City. |
latitude | Latitude. |
longitude | Longitude. |
Syntax
iplocation <ip-address-fieldname>
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
ip-address-fieldname | <field> | Name of the field that contains the IP address, such as clientip. |
If the event does not contain the specified field, or if the field does not contain an IP address, all created fields in that event will be set to null.
Examples
These examples demonstrate basic event enrichment with geodata and further work with fields created by iplocation.
Example 1
In this example, the command takes an IP address from the ip field and adds country, city, latitude, longitude and other available geoattributes to the event.
source server_ip
| iplocation 'ip'
Example 2
In this example, the field with the IP address is first renamed, then used in iplocation. This shows that the command works with any field containing an IP address.
source server_ip
| rename ip as clientip
| iplocation clientip
Example 3
In this example, after enriching with geodata, the query keeps only records for host2 and collects latitude and longitude into a multivalue field location.
source server_ip
| iplocation 'ip'
| where host_name == "host2"
| eval location = mvappend(latitude, longitude)
Example 4
In this example, geodata is used for filtering: the result will contain only events where the specified country equals Russia.
source server_ip
| iplocation 'ip'
| where country == "Russia"