ip-lookup
The ip-lookup operator retrieves geolocation data of IP addresses using MaxMind’s GeoIP2 and GeoLite2 or IPinfo’s IP address databases to enrich events with details such as city, continent, country, latitude, longitude, postal code, region, and time zone based on the provided IP address field. You can customize which fields to return, add prefixes, and their language.
You can display
ip-lookupresults in a Map Chart.
Prerequisites
The ip-lookup operator needs a .mmdb database file. You need to download the file from MaxMind or IPinfo and then create a lookup table with it. This file contains the geolocation data needed for IP address enrichment.
MaxMind’s GeoIP2 City, GeoIP2 Country, and GeoLite2 are supported. The GeoIP2 databases are a more accurate version of the free GeoLite2 City database.
To download the free GeoLite2 City database you need a free GeoLite2 account. For details, see MaxMind’s Accessing GeoLite2 Free Geolocation Data documentation.
IPinfo’s IP Geolocation, IP to privacy detection, ASN, IP to Company, Abuse contact, and WHOIS databases are supported.
IPinfo also provides the following free IP databases: IP to Country, IP to ASN, and IP to Country ASN.
Syntax
Scope | ip-lookup [ output=OutputField[, ...] ] [ prefix=Prefix ] [ lang=Lang ] LookupTable [ on IPField ]Arguments
- Scope: The events to search.
- OutputField: Field(s) to return from the lookup. By default, all available fields are returned.
city– for example,Georgetowncontinent– for example,North Americacontinent_code– for example,NAcountry– for example,United Statescountry_code– for example,USlat– numeric latitude coordinatelon– numeric longitude coordinatepostal– for example,40324region– for example,Kentuckyregion_code– for example,KYtime_zone– for example,America/Los_Angeles
- Prefix: A prefix to add to the output fields. For example, if the prefix is set to
ip_, output fields will be namedip_cityip_country, etc. - Lang: Specifies the language for data retrieval. Defaults to
enfor English. Supports Brazilian Portuguese (pt-BR), English (en), French (fr), German (de), Japanese (ja), Russian (ru), Simplified Chinese (zh-CN), and Spanish (es). - LookupTable: The lookup filename that contains the database. Do not add the
.mmdbfile extension. For example, a filename ofGeoLite2-city.mmdbis entered asGeoLite2-city. - IPField: The field name with an IP address. Defaults to
ip.
Examples
The runnable examples below require you to first acquire and upload a compatible .mmdb file, as outlined above in Prerequisites.
Lookup geolocation data on the
dstaddrfield:dataset="cribl_search_sample" dataSource=*vpc* | limit 1000 | ip-lookup geocity on dstaddrLookup latitude and longitude data on the
dstaddrfield:dataset="cribl_search_sample" dataSource=*vpc* | limit 1000 | ip-lookup output=lat,lon geocity on dstaddrLookup geolocation data on the
ipfield:dataset=myDataset | ip-lookup 'GeoLite2-City'Lookup geolocation data on the
my_ipfield:dataset=myDataset | ip-lookup 'GeoLite2-City' on my_ipLookup geolocation data on the
ip_addressfield and return only the prefixedip_latandip_lonfields:dataset=myDataset | ip-lookup output=lat,lon prefix=ip_ 'GeoLite2-City' on ip_addressLookup geolocation data on the
ip_addressfield and return only thecityandregionfields in Spanish:dataset=myDataset | ip-lookup output=city,region lang=es 'GeoIP2-City' on ip_address