Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Iplocation Command

rsimmons
Splunk Employee
Splunk Employee
‎08-23-2010 08:50 PM

I tried using the iplocation command on the searchHeadUI. I was using this search:

index=na1 logRecordTypeL=1 | head 20 | iplocation

An error was thrown on the UI- what does it mean? How can we make the command work?

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-23-2010 09:43 PM

What error was thrown? How would I know if this applies to me?

0 Karma
Reply

rsimmons
Splunk Employee
Splunk Employee
‎08-23-2010 08:53 PM

Iplocation search command adds City and Country fields to your search results. It does this by looking up the IP addresses it finds using the hostip.info API. Check to see if this server has access to the internet. Unfortunately if your Splunk server doesn't have direct internet access then this script will fail.

The script itself is a very simple Python script that use the module urllib.urlopen to make the API call. To get it to use your proxy server is easy.

Make a backup of the original script:

$ cd $SPLUNK_HOME/etc/searchscripts
$ cp iplocation.py iplocation.py.bak

Edit iplocation.py and add the following line below the LOCATION_URL definition:

PROXIES = {'http':'http://proxy.example.com:8080'}

Then find the line that reads:

location = urllib.urlopen( LOCATION_URL + ip )

and change it to:

location = urllib.urlopen( LOCATION_URL + ip, proxies=PROXIES )

Then perform your search and pipe it to iplocation. Make sure to limit your search as the script will do a HTTP request for every IP address it finds.

Reply

Lowell
Super Champion
‎08-23-2010 09:32 PM

Keep in mind that any changes to build in search commands will be replaced on each and every upgrade. Also, the default location of this script as of 4.x is $SPLUNK_HOME/etc/apps/search/bin/iplocation.py no the seachscript location mentioned above.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...