Use the following search query to enrich logs using the GEOIP process command:
Syntax:
| process geoip (fieldname)
Example Query:
| process geoip (source_address)
The above query enriches logs with country_name, region_name, city_name, postal_code, longitude, latitude, and timezone values associated with the source_address field.
The following screenshot shows a log enriched for a public IP:
Enriched Log Sample¶
The following screenshot shows a log enriched for a private IP:
Enriched Log Sample¶