Old thread but no final solution explanation given so I wanted to share a solution as we were facing a similar issue: We experienced the behaviour when using iplocation in conjunction with eventstats. When iplocation was used before eventstats, the location was correct, when used after eventstats, it was wrong. Cause: Eventstats (as well as stats) is a data processing / non-streaming command (-> it runs on the search head). Iplocation is a distributable streaming command (-> it can run on the indexer). So using IP location BEFORE eventstats (and right after the base search) makes it run on the indexers. When using iplocation AFTER eventstats it runs on the search head. The reason for yielding different location results was due to different iplocation database versions (GeoLite2..) on search head and indexers. So make sure, your geo location db is up-to-date and identical on all your Splunk components then iplocation yields the same results regardless where it is used in the search. Where you place it depends on your search. Usually it is advisable to enrich AFTER transforming/aggregations commands like stats or eventstats. But as iplocation is a distributable streaming command it might perform better when it can run on the indexers instead of the search head.
... View more