Splunk Search

Splunk displays incorrect location on using iplocation

rakes568
Explorer

On using iplocation, Splunk returns incorrect coordinates for an IP, and displays location incorrectly on map with geostats.
For IP 52.43.227.70, it returns coordinates 39.56450, -75.59700.
alt text

Whereas actual coordinates for IP address 52.43.227.70 using infosnipper.net (or any other online APIs for that matter) are 45.8696, -119.688, and location is in Oregon region.

Has anyone seen this issue?

0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Hi rakes568!

Which version of Splunk are you using?

Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/

I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.

alt text

My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.

The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

- MattyMo

View solution in original post

mattymo
Splunk Employee
Splunk Employee

Hi rakes568!

Which version of Splunk are you using?

Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/

I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.

alt text

My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.

The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

- MattyMo

dwaddle
SplunkTrust
SplunkTrust

To add some additional specificity ... iplocation services are provided by a variety of vendors who collect their data in their own unique way. There is no single, universally accurate that "the internet" ties IP addresses to physical locations. Splunk, for their part, use the Maxmind Geolite2 databases. ( https://dev.maxmind.com/geoip/geoip2/geolite2/ ) Geolite2 is great because it is free. Geolite2 is terrible because it has a lower update frequency, and lower accuracy overall.

As Matty has mentioned, you can update Splunk's Geolite2 databases relatively easily, or you can accept that they will be updated each time you update Splunk itself.

If iplocation data is very important to you, I would suggest subscribing to Maxmind's Geoip2 database feed service. These feeds should be available in a format compatible with Splunk, and will be updated more frequently and more accurate overall. But, it is a separate subscription above and beyond your Splunk purchase. See https://www.maxmind.com/en/geoip2-city

starcher
SplunkTrust
SplunkTrust

And example code to automate updating the DB
https://github.com/georgestarcher/TA-geoip

mattymo
Splunk Employee
Splunk Employee

+1 with the points Duane makes. IMO iplocation is a "grain of salt" data point, but the paid services should allow you to be as accurate as you can be with this kind of data.

- MattyMo
0 Karma

rakes568
Explorer

Thanks. Works perfectly after updating Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...