Iplocation Command

rsimmons · ‎08-23-2010

I tried using the iplocation command on the searchHeadUI. I was using this search:

index=na1 logRecordTypeL=1 | head 20 | iplocation

An error was thrown on the UI- what does it mean? How can we make the command work?

gkanapathy · ‎08-23-2010

What error was thrown? How would I know if this applies to me?

rsimmons · ‎08-23-2010

Iplocation search command adds City and Country fields to your search results. It does this by looking up the IP addresses it finds using the hostip.info API. Check to see if this server has access to the internet. Unfortunately if your Splunk server doesn't have direct internet access then this script will fail.

The script itself is a very simple Python script that use the module urllib.urlopen to make the API call. To get it to use your proxy server is easy.

Make a backup of the original script:

$ cd $SPLUNK_HOME/etc/searchscripts
$ cp iplocation.py iplocation.py.bak

Edit iplocation.py and add the following line below the LOCATION_URL definition:

PROXIES = {'http':'http://proxy.example.com:8080'}

Then find the line that reads:

location = urllib.urlopen( LOCATION_URL + ip )

and change it to:

location = urllib.urlopen( LOCATION_URL + ip, proxies=PROXIES )

Then perform your search and pipe it to iplocation. Make sure to limit your search as the script will do a HTTP request for every IP address it finds.

Lowell · ‎08-23-2010

Keep in mind that any changes to build in search commands will be replaced on each and every upgrade. Also, the default location of this script as of 4.x is $SPLUNK_HOME/etc/apps/search/bin/iplocation.py no the seachscript location mentioned above.

Iplocation Command

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...