ipLocation()

`ipLocation()`

The ipLocation() function adds geolocation data for IPv4 or IPv6 addresses. It adds the following 4 fields (attributes) to the events (ip prefix is default): ip.country, ip.city, ip.lon, and ip.lat.

LogScale includes GeoLite2 data created by MaxMind. By default, the database is automatically updated if the cluster is running with a valid LogScale license.

Note

Updates to the MaxMind database are checked every 5 minutes.

Only the paid version of the MaxMind database includes city information as well as country information. Some IP addresses only show country information regardless of the MaxMind database version used, in case the city information is unknown.

Note

For self-hosted customers, in order to use your own MaxMind database, place it in the LogScale data directory as IpLocationDb.mmdb and run LogScale with environment variable AUTO_UPDATE_IP_LOCATION_DB set to false. Ensure that the database includes city information (for example, GeoLite2 City). For more information, see MaxMind Configuration.

Parameter	Type	Required	Default Value	Description
`as`	string	optional^[a]		Name the prefix to add to fields added by the ipLocation function. Defaults to `.` (the name of the field from which to get the IP address).
`field`^[b]	string	optional^[a]	`ip`	The field from which to get the IP address.
^[a]Optional parameters use their default value unless explicitly set. ^[b]The parameter name `field` can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

`ipLocation()` Syntax Examples

Based on the field ip, the attributes ip.country, ip.city, ip.lon and ip.lat are added to the event. The default field is ip.

logscale

ipLocation()

Based on the field address, the attributes address.country, address.city, address.lon and address.lat are added to the event. The field parameter is used in the following example:

logscale

ipLocation(field=address)

Based on the field ip, the attributes address.country, address.city, address.lon and address.lat are added to the event. The as parameter is used in the following example:

logscale

ipLocation(as=address)

`ipLocation()` Examples

Click + next to an example below to get the full details.

Retrieve Location Data From Specified Field

Retrieve location data from a specified field using the ipLocation() function

In this example, the ipLocation() function is used with the field parameter to retrieve location data from the@rawstring field. The default prefix value in the field parameter is ip, but with the field parameter

defined as , then the prefix will be .

@rawstring	@rawstring.city	@rawstring.country	@rawstring.lat	@rawstring.lon
165.225.194.1	Copenhagen	DK	55.674	12.5696
1.2.3.4	<no value>	AU	-33.494	143.2104
4.3.2.1	<no value>	US	37.751	-97.822
8.8.8.8	<no value>	US	37.751	-97.822

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

`ipLocation()`

Note

Note

`ipLocation()` Syntax Examples

`ipLocation()` Examples

Retrieve Location Data From Specified Field

Query

Introduction

Step-by-Step

Summary and Results

Enter search term

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts

Note

Note

ipLocation() Syntax Examples

ipLocation() Examples

Retrieve Location Data From Specified Field

Query

Introduction

Step-by-Step

Summary and Results

Enter search term

`ipLocation()`

`ipLocation()` Syntax Examples

`ipLocation()` Examples