Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Internet access for iplocation command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We are using Splunk 5.0.4 extensively. We use maxmind to resolve Client IP to Country, City, Net Speed and ISP.
Now we are upgrading splunk to Splunk 6.0.1. As part of POC and some initial trials, i have installed Splunk 6.0.1 on my laptop.
Recently i came across iplocation command. I thought i will start using iplocation command and stop using maxmind. So, in my new Splunk installation i added a log file and wrote a simple search
index=main | iplocation allfields=true ClientIP | table *
Note: It is a fresh Splunk installation. While running these tests my laptop is not connected to internet
In my search results I am getting City, Country, lat, lon details. But, as per the links below, the iplocation command uses hostip.info api and it needs internet access.
http://answers.splunk.com/answers/49797/iplocation-and-counting-ips
http://answers.splunk.com/answers/5946/iplocation-command
http://answers.splunk.com/answers/45819/unknown-country-returned-by-iplocation-bug
I am puzzled.
Could you please let me know:
whether iplocation command needs internet access to retrieve the results?
whether splunk has any in built geo database that is returning the geographic details?
Thanks
Strive
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of 6.0, iplocation transitioned away from a python script that went to the internet, to a fully-integrated Splunk command that uses a built-in database. (Likely maxmind, from the answer here: http://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command)
No internet access required, anymore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of 6.0, iplocation transitioned away from a python script that went to the internet, to a fully-integrated Splunk command that uses a built-in database. (Likely maxmind, from the answer here: http://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command)
No internet access required, anymore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes splunk is using maxmind geo lite databases. These databases are updated for every minor release. Since maxmind databases get updated once every week (approximately) we have written python script which pulls the latest db files and replaces the older ones in our system.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
