Splunk Search

Splunk displays incorrect location on using iplocation

rakes568
Explorer

On using iplocation, Splunk returns incorrect coordinates for an IP, and displays location incorrectly on map with geostats.
For IP 52.43.227.70, it returns coordinates 39.56450, -75.59700.
alt text

Whereas actual coordinates for IP address 52.43.227.70 using infosnipper.net (or any other online APIs for that matter) are 45.8696, -119.688, and location is in Oregon region.

Has anyone seen this issue?

0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Hi rakes568!

Which version of Splunk are you using?

Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/

I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.

alt text

My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.

The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

- MattyMo

View solution in original post

mattymo
Splunk Employee
Splunk Employee

Hi rakes568!

Which version of Splunk are you using?

Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/

I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.

alt text

My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.

The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!

https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html

- MattyMo

dwaddle
SplunkTrust
SplunkTrust

To add some additional specificity ... iplocation services are provided by a variety of vendors who collect their data in their own unique way. There is no single, universally accurate that "the internet" ties IP addresses to physical locations. Splunk, for their part, use the Maxmind Geolite2 databases. ( https://dev.maxmind.com/geoip/geoip2/geolite2/ ) Geolite2 is great because it is free. Geolite2 is terrible because it has a lower update frequency, and lower accuracy overall.

As Matty has mentioned, you can update Splunk's Geolite2 databases relatively easily, or you can accept that they will be updated each time you update Splunk itself.

If iplocation data is very important to you, I would suggest subscribing to Maxmind's Geoip2 database feed service. These feeds should be available in a format compatible with Splunk, and will be updated more frequently and more accurate overall. But, it is a separate subscription above and beyond your Splunk purchase. See https://www.maxmind.com/en/geoip2-city

starcher
SplunkTrust
SplunkTrust

And example code to automate updating the DB
https://github.com/georgestarcher/TA-geoip

mattymo
Splunk Employee
Splunk Employee

+1 with the points Duane makes. IMO iplocation is a "grain of salt" data point, but the paid services should allow you to be as accurate as you can be with this kind of data.

- MattyMo
0 Karma

rakes568
Explorer

Thanks. Works perfectly after updating Splunk.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...