Locating IP Addresses

In one of my old blog posts I talked about how to do a lookup of IP addresses to map them to a geo location. That time, I was showing how it is done on the command line and totally outside of Splunk. However, what I really wanted is a way to lookup the locations within Splunk whenever an IP address is shown in an event.

A lookup should take the IP address, figure out its coordinates and then plot the result on a map. What better to use than Google Earth and Google Maps. This is what my Google add-on does. The problem that I had to overcome was the mapping of the IP address to a location. I could have used some python library and put a python script into the add-on to actually do the translation. I found an easier solution by using a Web service to do the lookup for me. In addition to just translating the IP address to a geo location, the service even generates KML for me, which is the file format to describe for Google Earth where the IP address is located. The only thing I had to do is building a simple field action associated with IP addresses. After the add-on is installed, you click on the field action of an IP address. A new menu entry is then shown, which calls an external Web service that returns the KML file. This file you then open up in Google Earth. For your reference, here is the field action from the bundle:

[googleearth-1]
metaKeys=ip
uri=http://www.someservice.com/index.php/iptokml?ip={$ip}&comment={$ip}
label=Locate in Google Earth

Simple, isn’t it?

By Raffael Marty