Database Reference
In-Depth Information
Using the iplocation command
The iplocation command extracts geographic locations from a third-party dataset to help
the Splunk user easily obtain geographic values for a client IP or Internet protocol address
(the
clientip
field). The
iplocation
command, by default, returns the
Country
,
City
,
Region
,
lat
(latitude), and
lon
(longitude) fields associated with each event. In
the following code snippet, we have used the buttercupgames data (used in earlier chapters)
and created a table of the top 15 countries with the greatest counts:
buttercupgames | iplocation clientip | top limit=15 Country
As you can see here, Splunk gives both the counts and the percentages in its output:
Top 15 Countries in Terms of Counts of IP Addresses
We can do the same type of analysis to create a table of the five most common cities that
appear in our data, using the following code:
buttercupgames | iplocation clientip | top limit=5 City
And we get the following result:
