Usage of Splunk-commands:IPLOCATION

Usage of Splunk-commands : IPLOCATION

The following is the usage of Splunk commands: IPLOCATION.

IPLOCATION command indicates the IP address’s location with the help of the MMDB database.

IPLOCATION command is supported on IPv6 IP and IPv4 addresses.

Below is a skeleton usage of the iplocation command in SPLUNK.

Prefix argument is utilized for adding some strings with fields as a prefix. The argument is utilized for preventing collision with an existing field.

Allfield argument is utilized for adding every field from a database with events.   

If allfields are equal to true then ad- City, Country, Continent, MetroCode , Timezone, Region, lat, lon-fields with events.

By default the value is untrue. Only City, Region, Country, lat, lon-fields are extra with events.

Sample data 

In the above picture secure is the index name. Using rex-command we’ve extracted the IP addresses from the log & store them in a new field known as IP.

Example one 

Outcomes   

Explanation

With the above query secure is index name. Using the rex command we’ve extracted IP addresses from the log & store them into a new field known as IP. Then via iplocation command, we’ve extracted data of ip-addresses from the MMDB database. At this point, we do not specify an attribute with iplocation-command so via default it shows City, Region, Country, lat, and lon-fields for an IP-addresses.

Here IP address is a field name where every IP value is kept. At last with the table command, we’ve taken every field which starts with IP-string & with the help of the dedup command we’ve removed duplicate values from the coutcome set.

Example two

Outcomes

Explanation

At the above query, the index name is secure. Using the rex command we’ve extracted the ip-addresses from the log & stored them into a new field known as IP. Then by iplocation command, we’ve extracted data of ip-addresses from the MMDB database. Prefix-argument is used to put IP_ string using every field as prefix. Also, we’ve utilized allfields is equal to true-to-add every database field. Here the IP is a field-name where every the IP-values are kept. At last with the table command, we’ve taken all fields that start with-IP-string & by dedup command we’ve removed the matching values from the outcome set.

Leave a Comment