https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600159#M208927 <P>Hi everyone</P> <P>I am currently getting logs from microsoft 365 and one of its panels shows the impossible simultaneous locations.</P> <P>When I check the IP with any page for whois like virustotal or abuseipdb, for example, from Sweden, I find that it really is from another country.</P> <P>Is there something wrong with the iplocation command or something I need to adjust</P> <P>How can it be solved?</P> Wed, 01 Jun 2022 19:09:52 GMT juancamiloll 2022-06-01T19:09:52Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600159#M208927 <P>Hi everyone</P> <P>I am currently getting logs from microsoft 365 and one of its panels shows the impossible simultaneous locations.</P> <P>When I check the IP with any page for whois like virustotal or abuseipdb, for example, from Sweden, I find that it really is from another country.</P> <P>Is there something wrong with the iplocation command or something I need to adjust</P> <P>How can it be solved?</P> Wed, 01 Jun 2022 19:09:52 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600159#M208927 juancamiloll 2022-06-01T19:09:52Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600192#M208936 <P>The <FONT face="courier new,courier">iplocation</FONT> command uses a database from MaxMind.&nbsp; That database is only updated when you install a new version of Splunk, unless you take specific steps to update it yourself.&nbsp; Depending on the version of Splunk you are using the location database could be very old and outdated.</P> Thu, 02 Jun 2022 00:32:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600192#M208936 richgalloway 2022-06-02T00:32:33Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600204#M208943 <P>You have to remember also that all those ip-geo databases are best-effort only. There is no way to determine a 100% sure location of a given IP. They are usually pretty ok, but sometimes the results can be non-reliable.</P> Thu, 02 Jun 2022 04:58:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600204#M208943 PickleRick 2022-06-02T04:58:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600207#M208944 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/223293">@juancamiloll</a>&nbsp;- As mentioned by&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;it uses the MaxMind database to find the IP location. The MaxMind database is not auto-updated, you need to do it manually or you can use App like&nbsp;<A href="https://splunkbase.splunk.com/app/5482/" target="_blank">https://splunkbase.splunk.com/app/5482/</A>&nbsp;(Auto Update MaxMind Database) to update it regularly.</P><P>As mentioned by&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;, even though you update the MaxMind database regularly there is no guarantee that it will tell you the exact and correct location. Different IP location database generates different results sometimes.&nbsp;</P><P>&nbsp;</P><P>I hope this helps!!!!</P> Thu, 02 Jun 2022 05:08:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600207#M208944 VatsalJagani 2022-06-02T05:08:33Z https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600638#M209080 <P>Thank you very much for your help.</P><P>I followed the steps downloading the file, then unzipping it and moving it to the /splunk/share folder</P><P>I restarted splunk and it already brings me the countries I expected</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file</A></P> Sun, 05 Jun 2022 23:58:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-iplocation-command-returning-wrong-countries/m-p/600638#M209080 juancamiloll 2022-06-05T23:58:06Z