https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594360#M206866 <P>In my ES App, I have a rule where I noted some discrepancy regarding the source country for the src&nbsp; ip&nbsp; 112.196.162.127.<BR /><BR />Using 'iplocation'&nbsp; command in SPL it shows as Turkey.<BR />But in whoisdomaintools it shows as India.<BR /><A href="https://whois.domaintools.com/112.196.162.127" target="_blank" rel="noopener">112.196.162.127 IP Address Whois | DomainTools.com</A><BR /><BR />Any suggestion why this is the case ?</P> <P><BR /><BR /></P> <P><BR /><BR /><BR /></P> Wed, 20 Apr 2022 14:44:58 GMT zacksoft_wf 2022-04-20T14:44:58Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594360#M206866 <P>In my ES App, I have a rule where I noted some discrepancy regarding the source country for the src&nbsp; ip&nbsp; 112.196.162.127.<BR /><BR />Using 'iplocation'&nbsp; command in SPL it shows as Turkey.<BR />But in whoisdomaintools it shows as India.<BR /><A href="https://whois.domaintools.com/112.196.162.127" target="_blank" rel="noopener">112.196.162.127 IP Address Whois | DomainTools.com</A><BR /><BR />Any suggestion why this is the case ?</P> <P><BR /><BR /></P> <P><BR /><BR /><BR /></P> Wed, 20 Apr 2022 14:44:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594360#M206866 zacksoft_wf 2022-04-20T14:44:58Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594454#M206899 <P>It's possible the MaxMind database (source for the iplocation command) is outdated.&nbsp; What version of Splunk are you using?&nbsp; Have you tried updating the database (see&nbsp;<SPAN><A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file</A></SPAN> for instructions)?</P> Wed, 20 Apr 2022 13:06:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594454#M206899 richgalloway 2022-04-20T13:06:03Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594456#M206901 <P>I noticed something,<BR />In my query if I write like this I get wrong iplocation data<BR /><BR />index=palo_alto_networks TERM(112.196.162.127)<BR />| table _time, sourcetype, src, local_ip Country user_name&nbsp;<BR />| iplocation&nbsp; src<BR /><BR />But if, I change the iplocation comands position to the middle , it gives the correct country data<BR />like this<BR /><BR />index=palo_alto_networks TERM(112.196.162.127)<BR />| iplocation&nbsp; src<BR />| table _time, sourcetype, src, local_ip Country user_name&nbsp;<BR /><BR /><BR /><BR /></P> Wed, 20 Apr 2022 13:47:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594456#M206901 zacksoft_wf 2022-04-20T13:47:13Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594467#M206904 <P>The first query tries to display the Country field before <FONT face="courier new,courier">iplocation</FONT> has created it, so it's no surprise it doesn't show expected results.</P> Wed, 20 Apr 2022 14:50:42 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-showing-incorrect-data/m-p/594467#M206904 richgalloway 2022-04-20T14:50:42Z