Retrieve Location Data From Specified Field

Retrieve location data from a specified field using the ipLocation() function

Query

logscale

ipLocation(field=@rawstring)

Introduction

The ipLocation() function can be used to add geolocation data for IPv4 or IPv6 addresses. The function adds the following fields to the events: Country, City, Longitude, and Latitude.

LogScale includes MaxMind's GeoLite2 data. The MaxMind database updates automatically every 5 minutes when you have a valid LogScale license.

In this example, the ipLocation() function is used with the field parameter to retrieve location data from the @rawstring field. The default prefix value in the field parameter is ip, but with the field parameter

defined as @rawstring, then the prefix will be @rawstring.

Example incoming data might look like this:

@rawstring
165.225.194.1
1.2.3.4
4.3.2.1
8.8.8.8

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
ipLocation(field=@rawstring)
```
Retrieves location data from the @rawstring field, and adds the fields @rawstring.country, @rawstring.city, @rawstring.lon, and @rawstring.lat to the event.
Event Result set.

Summary and Results

The query is used to retrieve location data from the @rawstring field also adding more geolocation information to the events, such as Country, City, Longitude, and Latitude. The function automatically enriches the events with standardized location data, which enables consistent geographic analysis across the logs. This is, for example, useful for detection of suspicious access patterns from unexpected locations.

Sample output from the incoming example data: