Determine country, city, and long/latitude for an IP address (ipv4 or ipv6). The attributes ip.country, ip.city, ip.lon, ip.lat are added to the event.
LogScale includes GeoLite2 data created by MaxMind. By default, the database is automatically updated if the cluster is running with a valid LogScale license.
In order to use your own MaxMind database, place it in the LogScale data
directory as IpLocationDb.mmdb and run LogScale with
environment variable AUTO_UPDATE_IP_LOCATION_DB set to
false. You must use a database that includes city information (e.g.,
GeoLite2 City).
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | false | Name the prefix to add to fields added by the ipLocation function. Defaults to . (the name of the field from which to get the IP address). | |
field | string | false | ip | The field from which to get the IP address. [a] |
Examples
Based on the field ip, the
attributes ip.country,
ip.city,
ip.lon and
ip.lat are added to the event.
ipLocation()
Based on the field address, the attributes
address.country,
address.city,
address.lon and
address.lat are added to the
event.
ipLocation(field=address)
Based on the field ip, the attributes
address.country,
address.city,
address.lon and
address.lat are added to the
event.
ipLocation(as=address)