Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk displays incorrect location on using iplocation

rakes568
Explorer
‎06-04-2017 02:55 AM

On using iplocation, Splunk returns incorrect coordinates for an IP, and displays location incorrectly on map with geostats.
For IP 52.43.227.70, it returns coordinates 39.56450, -75.59700.
alt text

Whereas actual coordinates for IP address 52.43.227.70 using infosnipper.net (or any other online APIs for that matter) are 45.8696, -119.688, and location is in Oregon region.

Has anyone seen this issue?

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎06-04-2017 07:08 AM

Hi rakes568!

Which version of Splunk are you using?

Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/

I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.

alt text

My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.

The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

- MattyMo

View solution in original post

Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎06-04-2017 07:08 AM

Hi rakes568!

Which version of Splunk are you using?

Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/

I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.

alt text

My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.

The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

- MattyMo
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎06-04-2017 09:32 AM

To add some additional specificity ... iplocation services are provided by a variety of vendors who collect their data in their own unique way. There is no single, universally accurate that "the internet" ties IP addresses to physical locations. Splunk, for their part, use the Maxmind Geolite2 databases. ( https://dev.maxmind.com/geoip/geoip2/geolite2/ ) Geolite2 is great because it is free. Geolite2 is terrible because it has a lower update frequency, and lower accuracy overall.

As Matty has mentioned, you can update Splunk's Geolite2 databases relatively easily, or you can accept that they will be updated each time you update Splunk itself.

If iplocation data is very important to you, I would suggest subscribing to Maxmind's Geoip2 database feed service. These feeds should be available in a format compatible with Splunk, and will be updated more frequently and more accurate overall. But, it is a separate subscription above and beyond your Splunk purchase. See https://www.maxmind.com/en/geoip2-city

Reply
Solved! Jump to solution

starcher
Influencer
‎06-08-2017 06:34 AM

And example code to automate updating the DB
https://github.com/georgestarcher/TA-geoip

Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎06-04-2017 12:32 PM

+1 with the points Duane makes. IMO iplocation is a "grain of salt" data point, but the paid services should allow you to be as accurate as you can be with this kind of data.

- MattyMo
0 Karma
Reply
Solved! Jump to solution

rakes568
Explorer
‎06-04-2017 10:11 AM

Thanks. Works perfectly after updating Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...