IPinfo Splunk App Installation & Configuration

Download the IPinfo Splunk App from SplunkBase: https://splunkbase.splunk.com/app/4070

The IPinfo Splunk app integrates IPinfo's API and IP database products into the Splunk platform. This app adds the ipinfo command to Splunk, which utilizes IPinfo data through the API or IP database (MMDB) to look up IP information for specified IP addresses.

Full in-depth documentation is available at: https://github.com/ipinfo/splunk-docs

Splunk setup can vary widely and be customized across different installations and ecosystems. So, we recommend investing time into understanding how the platform works with our app.

This documentation is only recommended to be used as a guideline for how to use our Splunk App on the Splunk Enterprise installation. We encourage reaching out to our team to understand the best usage policies for our Splunk app.

Supported OS and Versions

The current Splunk version is 9.3.0. We support all Splunk supported operating systems: Windows, Linux, and Mac. We also support '8.x.y' versions, like 8.9.1, or earlier (find the documentation for it here: https://github.com/ipinfo/splunk-docs/tree/8.9.1).

Installation from SplunkBase

1. Visit the IPinfo Splunk App page at Splunkbase: https://splunkbase.splunk.com/app/4070
2. Download the app. The download format will be .tgz

3. In Splunk (Enterprise), open the "Apps" dropdown and click "Manage Apps". From there, click "Install App from File". In the "Install App From File" modal, browse and select the IPinfo App (usually named: ipinfo-app-for-splunk-<version>.tgz) and click "Upload".

4. Then you will be prompted to set up the IPinfo App.

Installation via Single Stand Alone Machine (CLI)

Single standalone Splunk Enterprise Installation on Windows/*NIX.

1. Unzip ipinfo_app.spl (File available upon request)
2. Copy the unzipped directory ipinfo_app to $SPLUNK_HOME/etc/apps/
3. Open CLI and restart Splunk using the following command:

`./splunk restart`

Installation on Distributed Machines

**Single Indexer Single Search head and Single forwarder (Heavy or Universal) and Deployment server. **

1. Unzip ipinfo_app.spl
2. Copy the unzipped directory ipinfo_app to deployment server in $SPLUNK_HOME/etc/deployment-apps/
3. Add following to serverclass.conf

[serverClass:<SEARCHHEAD_SERVERCLASS>:app:< ipinfo_app >]
stateOnClient=enabled
restartSplunkd=true

4. Open CLI deploy the apps using following command:

./splunk reload deploy-server

Multiple non-clustered Indexers, Multiple non-clustered SearchHeads, Forwarder(Heavy or Universal) and Deployment server

1. Unzip ipinfo_app.spl
2. Copy the unzipped directory ipinfo_app to deployment server in $SPLUNK_HOME/etc/deployment-apps/
3. Add following to serverclass.conf

[serverClass:<SEARCHHEAD_SERVERCLASS>:app:< ipinfo_app >]
stateOnClient=enabled
restartSplunkd=true

4. Open CLI deploy the apps using following command

./splunk reload deploy-server

Single Site clustered Indexer, Clustered Search heads and Forwarder (Heavy or Universal).

1. Unzip ipinfo_app.spl
2. Copy ipinfo_app to Deployer server in $SPLUNK_HOME/etc/shcluster/apps/
3. Open the CLI on Deployer and deploy the app on Search Head Cluster using following command:

./splunk apply shcluster-bundle -target <URI>:<management_port> -auth
<username>:<password>

Post-install configuration:

1. After installation and restart, log in to the Splunk web and go to 'Manage'.
2. It will list all the installed applications and their configuration options.
3. Look for 'IPINFO' and click on the 'Set-Up' link to configure the add-on.
4. Make sure to restart the Splunk instance after setting up the app. In the case of the Search Head Cluster, each search needs to be restarted or a rolling restart must be initiated to make all changes work properly.

Installation from the Web Interface (Manual)

1. On the Splunk Home Page, Click on "Manage"
2. On the Manage Apps page, Click on "Install app from file"
3. Select path for IPINFO Splunk app .spl file and Click "Upload"
4. It is good practice to restart the Splunk, please restart.

Splunk Integration: IP Database Downloads

Please note that currently the app may use some of our legacy schema variants of the IP Database Downloads. If you want to use our new (*schema) IP database downloads or custom IP database download, please let us know.

1. To use our IP Database Downloads, make sure to check the "Database (MMDB)" field.

2. After that, select the databases you want to access. The "Country ASN MMDB" is available to all users for free. The rest of the databases require a paid subscription. Please note that you can also choose the update cadence.

Currently (October 25, 2025), the following databases are available. Please note that some of these IP databases use the legacy schema, but the underlying data is identical to our new database.

To learn more about the advanced settings and proxy settings, please review the full documentation available here: https://github.com/ipinfo/splunk-docs. We are going to proceed with default settings.

Now you have selected the IP databases that you will work with on Splunk.

3. Now, after completing the setup, you should initiate the database with a forced refresh. After the forced refresh, the database will be updated on the update cadence you have selected automatically.

You can check the overview page to see if your downloads have been completed.

Note that we generally recommend setting up the Splunk app using the IP database downloads, as with this configuration you can have access to both the database downloads and API service. However, if you set up the app with the API configuration, you only have access to the API data.

Note: MMDB is downloaded in /lookups section of app directory. And does not overwrite splunk’s default MMDB.

Splunk Integration: API Service

Please note that the app currently does not support the updated API system (api.ipinfo.io). The app relies on the legacy API (ipinfo.io). If you want to use our updated API system (Lite, Core, Plus, etc.) in Splunk, let the IPinfo team know.

To use our API service, make sure to check the "API" field.

You can set up the proxy settings if you want as well.

Please note that in the search operation, you can use the API service even when the app is set for IP database downloads by using the restapi parameter set to true. However, you can only use the IP database downloads for lookups when the app is not set up for the API. It is recommended that you set the app for database downloads only and use the API service through the restapi parameter set to true.

Splunk Integration: App Overview

The IPinfo Splunk App includes functionality and information across several tabs. They are described below.

Overview

High-level overview of the IPinfo Splunk App. Contains usage metrics across the API service, IP database, and the MMDB status section, which shows which MMDBs are available to be used along with timestamp and size metadata information.

IPinfo

The single IP lookup interface section can be used to look up IP addresses against the API or IP database downloads. The location information is utilized to present map details. Also, you have the option to export the IP data enrichment as a PDF or print it.

Search

The search functionality allows you to use the Splunk Search Processing Language (SPL) syntax to enrich IP addresses using the ipinfo command. A detailed overview of this section is provided in the Usage section.

Log Status

Shows operational activity. This could be related to file downloads, errors, and other log information.

Refresh

This section is used for hard forced refresh of IP database downloads ahead of the regularly scheduled update time.

Documentation

The documentation section redirects the user to the IPinfo Splunk full documentation guide.

Splunk Integration: Usage

After the setup is complete, you can begin looking up some IP addresses. Go to the "IPinfo" tab and look up an IP address. You will receive the information available from the IP databases you have set up.

The location information comes from your API subscription (if you have set up the API) or the standard_location.mmdb file (if you have set up the database download), and the other information comes from the other databases you have set up or the API data you have access to.

For example, on the API setup, this is what the overview page looks like if you are on the IPinfo Business plan that gives you access to location, ASN, company, carrier, domains, privacy, and abuse data.

On the IP database setup, this is what the overview page looks like if you have access to the IP to location, IP to Country ASN, and IP to Privacy Database. Note that the other database sections like company, carrier, etc. have N/A as their values as we have not set up those databases.

Aside from singular IP lookups from the IPinfo tab, you can use the full search functionality available in Splunk. You can perform log enrichment and more, as well as real-time IP enrichment with the available database. The Splunk app uses binary MMDB files, so lookups are extremely fast. And since you are using an offline database, there are no request limits or usage limits.

The search tab fully supports Splunk Search Processing Language (SPL) syntax. You can use it to perform IP address extraction, filtering, IP metadata analysis, aggregation, etc. Instructions related to SPL have been skipped in this documentation.

These ipinfo command search parameters accept boolean input. In general, you just set them as true, as the default value is false. If you do not specify the search data parameter, the default response will be IP to Location data.

• privacy: Available both in IP database download and API setup.
• asn: Available both in IP database download and API setup.
• company: Available both in IP database download and API setup.
• carrier: Available both in IP database download and API setup.
• domains: Available both in IP database download and API setup.
• abuse: Available both in IP database download and API setup.
• country_asn: Available only in the IP database download setup.
• resproxy
• restapi: Used in database download setup. Uses the API endpoint using the database download access token. Returns available API data the token has access to.
• alltypes: Returns all the information available across all the available database downloads or API accesses.

You can add two or more flags in single search query.

To keep things simple, we can perform dummy lookups using random IP addresses (random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, IP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'). In real-world applications, you will pass your IP addresses from web traffic logs here.

Please remember that location information is our default response. Simply use the 'ipinfo' command to retrieve location information for the IP addresses being looked up.

ipinfo <ip>: Single IP address lookup.

| makeresults 
| eval IP="1.0.178.0"
| ipinfo IP

ipinfo <ip>: Multiple rows (2000) of singular IP address lookup.

| makeresults count=2000
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, IP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time IP
| ipinfo IP

ipinfo <ip1> <ip2>: Multiple rows (100) of multiple (SRCIP, DESTIP) IP address lookup.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, DESTIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP DESTIP
| ipinfo SRCIP DESTIP

ipinfo prefix=true <ip>: The prefix=true can be thought of as an input column name addition. When you add prefix=true before each column, your input parameter column name will be added. If you are looking up singular IP addresses, you will get city, region, etc., and with prefix=true and your column name being SRCIP, it will become SRCIP_city, SRCIP_region, etc. Note that if you are looking up multiple columns of IP addresses (ipinfo SRCIP DESTIP), the prefix is automatically set to true.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo prefix=true SRCIP

ipinfo <ip> <ipinfo_data_parameter>=true: Specify the IP metadata to return for the IP address. If you do not pass any argument to the core ipinfo search command, the IP addresses will be looked up against the IPinfo Location API or database, depending on your setup. If you want to combine that information with other IP metadata that you have access to, you must specify them. The available database commands are:

• ipinfolite (API / IP Database)
• ipinfocore (API / IP Database)
• ipinfoplus (API / IP Database)
• privacy (API / IP Database)
• asn (API / IP Database)
• company (API / IP Database)
• carrier (API / IP Database)
• domains (API / IP Database)
• abuse (API / IP Database)
• country_asn (IP Database)

I am looking up the IP to Company data from the API service:

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP company=true

You can even combine multiple different IP metadata parameters. For example, here we are looking up both ASN information and IP to Abuse Contact information simultaneously (asn=true abuse=true) from the API service:

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP asn=true abuse=true

ipinfo <ip> alltypes=true: Returns all the information that your access token has access to. If you have set up the API, it will return all the information you have access to.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP alltypes=true

If you have set up the IP database downloads, it will use the available database downloads. In this example, I have the location, privacy, and country as database setup.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP alltypes=true

ipinfo <ip> restapi=true: When you have set up the IP database downloads you can still get the API response by setting restapi=true. This will use the access token you have used to download the IP address database.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP restapi=true

By setting restapi=true, your search operation will only look up the IP address using the API. It will not use the database downloads for the lookup, not even for the location lookup. For example, setting country_asn=true will not work when restapi=true. However, if you do not have access to a certain database but you have access to certain IP metadata through the API, you can look them up.

For example, in this setup, I do not have access to download the IP to Company database, but I have access to the IP to Company API service. This means by setting restapi=true and company=true, we can get the IP to Company data from the API.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP restapi=true company=true

Even though you have set the app for IP database downloads, by using restapi=true, you can also get all the data from the API service using the alltypes=true function parameter.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP restapi=true alltypes=true

Notes, FAQs and Advanced Operations:

Advanced options on database downloads

The IPinfo Splunk App uses MMDB files to perform IP address lookups. In distributed Splunk environments—such as Search Head Clusters (SHCs) and Indexer Clusters—you must decide how and where these MMDB files are downloaded and replicated.

The following settings control how the files are distributed and how lookups are executed across the cluster:

• Replicate on search heads — determines how MMDB files are shared within a Search Head Cluster.
• Replicate database to indexers — determines whether MMDB files should be sent to indexers so they can perform IPinfo lookups during search streaming, improving search performance.

These options affect download behavior, cluster bandwidth, search speed, and bundle size.

Replicate on Search Heads

This setting decides how MMDB files are shared among search heads in a Search Head Cluster.

• Internally: Use this option when you want only one Search Head to download the MMDB files from IPinfo.io. Splunk will then replicate these files to all other search heads in the cluster.
  • Reduces the number of external downloads
  • Can be slower overall because the primary SH must copy the MMDB to every peer
• Externally: Use this option when you want each Search Head to download its own MMDB files directly from IPinfo.io.
  • Faster because no inter-SH replication happens
  • Uses more outbound bandwidth because each SH downloads the file independently

Replicate Database to Indexers

This setting determines whether MMDB files are included in the knowledge bundle that gets replicated to indexers.

• When set to “Yes”
  • The MMDB files are distributed to indexers in the cluster
  • Enables a modified lookup mode so IPinfo lookups run in streaming mode, which can significantly improve search performance
  • Increases the size of the knowledge bundle that search heads push to indexers

Enable this if:

• You are running the IPinfo app on a Search Head Cluster, and
• You have an Indexer Cluster, and
• You want indexers to perform lookups as part of distributed search (for speed)

Replication Issues

Large MMDB files can cause replication problems in distributed Splunk environments. When either of the following settings is enabled:

• Replicate on search heads = Internally
• Replicate database to indexers = Yes

The MMDB files must be included in the knowledge bundle that Splunk replicates across the cluster. This can become an issue when using large MMDB packages—such as the Plus Bundle (approximately 4.45 GB)—because the bundle may exceed Splunk’s default size limits.

Symptoms

• Bundle replication failures
• Search head cluster members falling out of sync
• Indexers rejecting knowledge bundle pushes

You can address replication failures in one of two ways:

• Increase the maxBundleSize setting: Splunk limits knowledge bundle size to 2 GB by default. You can raise this limit by modifying the maxBundleSize parameter in the replicationSettings stanza. (Refer to the official Splunk documentation for the exact stanza and configuration path.)
• Switch "Replicate on search heads" to "Externally": This avoids adding the MMDB files to the replication bundle because each search head will download the database directly from IPinfo.io, bypassing the need for SH-to-SH replication.

We welcome your feedback and if you have any feature requests or need support using the IPinfo Splunk app, please create a post in our IPinfo Community.