Usage of Splunk commands  : IPLOCATION

Usage of Splunk commands  : IPLOCATION

Usage of Splunk commands : IPLOCATION is as follows

  • Iplocation command shows the location of IP addresses using MMDB adatabase.
  • This command supports on IPv4 and IPv6 IP addresses.

 

Find below the skeleton of the usage of the command “iplocation” in SPLUNK :

…| iplocation [prefix=<string_value>]  [allfileds=<boolean-expression>]  [<IP-address-fieldname>]

 

  • Prefix argument is used for adding a string with the fields as a prefix. This argument is used for avoiding collision with any existing field.
  • Allfields argument is used for adding all the fields from the database with the events.   
  •  If allfields=true then add City , Continent , Country , MetroCode , Region,                  Timezone, lat,lon fields with the events.
  • By default value is false. Only City , Country , Region,  lat ,lon fields are added with the events.

Below we have given a sample data.

iplocation1

In the above image secure is the index name. By the rex command we have extracted the ip addresses from the log and store into a new field called IP.

Example 1:

index=secure 
| rex field=_raw ".*\s+from\s(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*" 
| iplocation IP 
| table IP,City,Country,lat,lon,Region 
| dedup IP,City,Country,lat,lon,Region

Result :

ip1

ip2

Explanation :

In the above query secure is the index name. By the rex command we have extracted the ip addresses from the log and store into a new field called IP. Then by the iplocation command we have extracted information of ip addresses from the MMDB database. Here we don’t specify any attribute with iplocation command so by default it will show  City , Country , Region,  lat ,lon  fields for the ip addresses.  Here IP is the field name where all the ip values are stored. At last by table command we have taken all the fields which is starting with IP string and by dedup command we have removed the duplicate values from the result set.

*************************************************************************

Example 2 :

index=secure
| rex field=_raw ".*\s+from\s(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+.*"
| iplocation IP prefix=IP_ allfields=true
| table IP*
| dedup IP

Result :

iplocation3

iplocation4

Explanation:

In the above query secure is the index name. By the rex command we have extracted the ip addresses from the log and store into a new field called IP. Then by the iplocation command we have extracted information of ip addresses from the MMDB database. We have used prefix argument to add IP_ string with the all fields as a prefix. Also we have used allfields=true to add all the field from the database. Here IP is the field name where all the ip values are stored. At last by table command we have taken all the fields which is starting with IP string and by dedup command we have removed the duplicate values from the result set.

 

Now you can effectively utilize “iplocation”  command in  your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk commands  : IPLOCATION

 

Happy Splunking !!

Advertisements

2 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.