Learn more about the Cortex Query Language iploc
stage that associates IPv4 addresses of fields to a list of predefined attributes related to the geolocation.
Syntax
iploc <field>
Description
The iploc
stage associates the IPv4 address of any field to a list of predefined attributes related to the geolocation. By default, when using this stage in your queries, the geolocation data is added to the results table in these predefined column names: LOC_ASN_ORG, LOC_ASN, LOC_CITY, LOC_CONTINENT, LOC_COUNTRY, LOC_LATLON, LOC_REGION, and LOC_TIMEZONE.
Note
The loc_latlon
field contains a string that is a combination of two floating numbers representing the latitude and longitude separated by a comma, for example, “32.0695,34.7621".
The following options are available to you when using this stage in your queries:
You can specify the geolocation fields that you want added to the results table.
You can append a suffix to the name of the geolocation field column in the results table.
You can change the name of the geolocation field column in the results table.
You can also view the geolocation data on a graph type called map, where the
xaxis
is set to eitherloc_country
orloc_latlon
, and theyaxis
is a number field.
Note
The
iploc
stage can only be used with fields that contain numbers or strings.To improve your query performance, we recommend that you
filter
the data in your query before theiploc
stage is run. In addition, limiting the number of fields in the results table further improves the performance.
Examples
Return a maximum of 1000 xdr_data
records with the specific geolocation data associated with the action_remote_ip
field, where no record with a null value for action_remote_ip
is included, and displays the name of the city in a column called city
and a combination of the latitude and longitude in a column called loc_latlon
with comma-separated values of latitude and longitude.
dataset = xdr_data | limit 1000 | filter action_remote_ip != null | iploc action_remote_ip loc_city as city, loc_latlon
Return a maximum of 1000 xdr_data
records with all the available geolocation data with the predefined column names, and add the specified suffix _remote_id
to each predefined column name, where no record with a null value for action_remote_ip
is included.
dataset = xdr_data | limit 1000 | filter action_remote_ip != null | iploc action_remote_ip suffix=_remote_id
Return a maximum of 1000 xdr_data
records with the specific geolocation data associated with the action_remote_ip
field that includes the name of the country (contained in loc_country
) in a column called country
, where no record with a null value for either country
or action_remote_ip
is included. The comp stage is used to count the number of IP addresses per country. The results are displayed in a graph type of kind
map, where the x-axis represents the country
and the y-axis the action_remote_ip
.
dataset = xdr_data | limit 1000 | iploc action_remote_ip loc_country as country | filter country != null and action_remote_ip != null | comp count() as ip_count by country | view graph type = map xaxis = country yaxis = ip_count