Splunk Search

Iplocation Command

Splunk Employee
Splunk Employee

I tried using the iplocation command on the searchHeadUI. I was using this search:

index=na1 logRecordTypeL=1 | head 20 | iplocation

An error was thrown on the UI- what does it mean? How can we make the command work?

Tags (2)

Splunk Employee
Splunk Employee

What error was thrown? How would I know if this applies to me?

0 Karma

Splunk Employee
Splunk Employee

Iplocation search command adds City and Country fields to your search results. It does this by looking up the IP addresses it finds using the hostip.info API. Check to see if this server has access to the internet. Unfortunately if your Splunk server doesn't have direct internet access then this script will fail.

The script itself is a very simple Python script that use the module urllib.urlopen to make the API call. To get it to use your proxy server is easy.

Make a backup of the original script:

$ cd $SPLUNK_HOME/etc/searchscripts
$ cp iplocation.py iplocation.py.bak

Edit iplocation.py and add the following line below the LOCATION_URL definition:

PROXIES = {'http':'http://proxy.example.com:8080'}

Then find the line that reads:

location = urllib.urlopen( LOCATION_URL + ip )

and change it to:

location = urllib.urlopen( LOCATION_URL + ip, proxies=PROXIES )

Then perform your search and pipe it to iplocation. Make sure to limit your search as the script will do a HTTP request for every IP address it finds.

Super Champion

Keep in mind that any changes to build in search commands will be replaced on each and every upgrade. Also, the default location of this script as of 4.x is $SPLUNK_HOME/etc/apps/search/bin/iplocation.py no the seachscript location mentioned above.