Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Iplocation Command

rsimmons
Splunk Employee
Splunk Employee
‎08-23-2010 08:50 PM

I tried using the iplocation command on the searchHeadUI. I was using this search:

index=na1 logRecordTypeL=1 | head 20 | iplocation

An error was thrown on the UI- what does it mean? How can we make the command work?

Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-23-2010 09:43 PM

What error was thrown? How would I know if this applies to me?

0 Karma
Reply

rsimmons
Splunk Employee
Splunk Employee
‎08-23-2010 08:53 PM

Iplocation search command adds City and Country fields to your search results. It does this by looking up the IP addresses it finds using the hostip.info API. Check to see if this server has access to the internet. Unfortunately if your Splunk server doesn't have direct internet access then this script will fail.

The script itself is a very simple Python script that use the module urllib.urlopen to make the API call. To get it to use your proxy server is easy.

Make a backup of the original script:

$ cd $SPLUNK_HOME/etc/searchscripts
$ cp iplocation.py iplocation.py.bak

Edit iplocation.py and add the following line below the LOCATION_URL definition:

PROXIES = {'http':'http://proxy.example.com:8080'}

Then find the line that reads:

location = urllib.urlopen( LOCATION_URL + ip )

and change it to:

location = urllib.urlopen( LOCATION_URL + ip, proxies=PROXIES )

Then perform your search and pipe it to iplocation. Make sure to limit your search as the script will do a HTTP request for every IP address it finds.

Reply

Lowell
Super Champion
‎08-23-2010 09:32 PM

Keep in mind that any changes to build in search commands will be replaced on each and every upgrade. Also, the default location of this script as of 4.x is $SPLUNK_HOME/etc/apps/search/bin/iplocation.py no the seachscript location mentioned above.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...