https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326739#M97362 <P>Hi rakes568!</P> <P>Which version of Splunk are you using?</P> <P>Splunk updates the db used when doing iplocation each release, which can be found in <CODE>$SPLUNK_HOME/share/</CODE></P> <P>I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned. </P> <P><IMG src="http://i.imgur.com/xa2jUmj.png" alt="alt text" /></P> <P>My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change. </P> <P>The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!</P> <P><A href="https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html">https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html</A></P> Sun, 04 Jun 2017 14:08:21 GMT mattymo 2017-06-04T14:08:21Z https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326738#M97361 <P>On using iplocation, Splunk returns incorrect coordinates for an IP, and displays location incorrectly on map with geostats.<BR /> For IP 52.43.227.70, it returns coordinates 39.56450, -75.59700.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3006i7ABAA58A2EFACBB3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Whereas actual coordinates for IP address 52.43.227.70 using infosnipper.net (or any other online APIs for that matter) are 45.8696, -119.688, and location is in Oregon region.</P> <P>Has anyone seen this issue?</P> Sun, 04 Jun 2017 09:55:45 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326738#M97361 rakes568 2017-06-04T09:55:45Z https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326739#M97362 <P>Hi rakes568!</P> <P>Which version of Splunk are you using?</P> <P>Splunk updates the db used when doing iplocation each release, which can be found in <CODE>$SPLUNK_HOME/share/</CODE></P> <P>I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned. </P> <P><IMG src="http://i.imgur.com/xa2jUmj.png" alt="alt text" /></P> <P>My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change. </P> <P>The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!</P> <P><A href="https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html">https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html</A></P> Sun, 04 Jun 2017 14:08:21 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326739#M97362 mattymo 2017-06-04T14:08:21Z https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326740#M97363 <P>To add some additional specificity ... iplocation services are provided by a variety of vendors who collect their data in their own unique way. There is no single, universally accurate that "the internet" ties IP addresses to physical locations. Splunk, for their part, use the Maxmind Geolite2 databases. ( <A href="https://dev.maxmind.com/geoip/geoip2/geolite2/">https://dev.maxmind.com/geoip/geoip2/geolite2/</A> ) Geolite2 is great because it is free. Geolite2 is terrible because it has a lower update frequency, and lower accuracy overall. </P> <P>As Matty has mentioned, you can update Splunk's Geolite2 databases relatively easily, or you can accept that they will be updated each time you update Splunk itself.</P> <P>If iplocation data is very important to you, I would suggest subscribing to Maxmind's Geoip2 database feed service. These feeds should be available in a format compatible with Splunk, and will be updated more frequently and more accurate overall. But, it is a separate subscription above and beyond your Splunk purchase. See <A href="https://www.maxmind.com/en/geoip2-city">https://www.maxmind.com/en/geoip2-city</A></P> Sun, 04 Jun 2017 16:32:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326740#M97363 dwaddle 2017-06-04T16:32:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326741#M97364 <P>Thanks. Works perfectly after updating Splunk.</P> Sun, 04 Jun 2017 17:11:39 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326741#M97364 rakes568 2017-06-04T17:11:39Z https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326742#M97365 <P><CODE>+1</CODE> with the points Duane makes. IMO iplocation is a "grain of salt" data point, but the paid services should allow you to be as accurate as you can be with this kind of data. </P> Sun, 04 Jun 2017 19:32:18 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326742#M97365 mattymo 2017-06-04T19:32:18Z https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326743#M97366 <P>And example code to automate updating the DB<BR /> <A href="https://github.com/georgestarcher/TA-geoip">https://github.com/georgestarcher/TA-geoip</A></P> Thu, 08 Jun 2017 13:34:48 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-displays-incorrect-location-on-using-iplocation/m-p/326743#M97366 starcher 2017-06-08T13:34:48Z