Determine country, city, and long/latitude for an IP address (ipv4 or ipv6). The attributes ip.country, ip.city, ip.lon, ip.lat are added to the event.
LogScale includes GeoLite2 data created by MaxMind. By default, the database is automatically updated if the cluster is running with a valid LogScale license.
In order to use your own MaxMind database, place it in the LogScale data
directory as IpLocationDb.mmdb and run LogScale with
environment variable AUTO_UPDATE_IP_LOCATION_DB set to
false. You must use a database that includes city information (e.g.,
GeoLite2 City). For more information, see
MaxMind Configuration.
Function Traits: Transformation
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | optional | Name the prefix to add to fields added by the ipLocation function. Defaults to . (the name of the field from which to get the IP address). | |
field[a] | string | optional | ip | The field from which to get the IP address. |
The parameter name for field can be omitted; the following forms are equivalent:
ipLocation("ip")and:
ipLocation(field="ip")ipLocation() Examples
Based on the field ip, the attributes ip.country, ip.city, ip.lon and ip.lat are added to the event.
ipLocation()Based on the field address, the attributes address.country, address.city, address.lon and address.lat are added to the event.
ipLocation(field=address)Based on the field ip, the attributes address.country, address.city, address.lon and address.lat are added to the event.
ipLocation(as=address)