IPinfo Splunk App Installation & Configuration

Download the IPinfo Splunk App from SplunkBase: https://splunkbase.splunk.com/app/4070

The IPinfo Splunk app integrates IPinfo's API and IP database products into the Splunk platform. This app adds the ipinfo command to Splunk, which utilizes IPinfo data through the API or IP database (MMDB) to look up IP information for specified IP addresses.

Splunk setup can vary widely and be customized across different installations and ecosystems. So, we recommend investing time into understanding how the platform works with our app.

This documentation is only recommended to be used as a guideline for how to use our Splunk App on the Splunk Enterprise installation. We encourage reaching out to our team to understand the best usage policies for our Splunk app.

Features

• Enriches Splunk events with IPinfo data: geolocation, ASN, privacy, company, abuse, domains, carrier, residential proxy, and more.
• Supports both REST API and local MMDB (MaxMind DB) lookups.
• Compatible with standalone, distributed, and search head cluster deployments.
• Automated and manual MMDB updates.
• Proxy and advanced privacy support.
• Custom search commands and REST endpoints.
• Extensive configuration and logging.

Supported OS and Versions

The current supported Splunk versions are 9.x and 10.x, as well as Splunk Cloud. We support all Splunk supported operating systems: Windows, Linux, and Mac.

Installation from SplunkBase

1. Visit the IPinfo Splunk App page at Splunkbase: https://splunkbase.splunk.com/app/4070
2. Download the app. The download format will be .tgz

3. In Splunk (Enterprise), open the "Apps" dropdown and click "Manage Apps". From there, click "Install App from File". In the "Install App From File" modal, browse and select the IPinfo App (usually named: ipinfo-app-for-splunk-<version>.tgz) and click "Upload".

4. Then you will be prompted to set up the IPinfo App.

Installation via Single Stand Alone Machine (CLI)

Single standalone Splunk Enterprise Installation on Windows/*NIX.

1. Unzip ipinfo_app.spl (File available upon request)
2. Copy the unzipped directory ipinfo_app to $SPLUNK_HOME/etc/apps/
3. Open CLI and restart Splunk using the following command:

`./splunk restart`

Installation on Distributed Machines

Single Indexer Single Search head and Single forwarder (Heavy or Universal) and Deployment server.

1. Unzip ipinfo_app.spl
2. Copy the unzipped directory ipinfo_app to deployment server in $SPLUNK_HOME/etc/deployment-apps/
3. Add following to serverclass.conf

[serverClass:<SEARCHHEAD_SERVERCLASS>:app:< ipinfo_app >]
stateOnClient=enabled
restartSplunkd=true

4. Open CLI deploy the apps using following command:

./splunk reload deploy-server

Multiple non-clustered Indexers, Multiple non-clustered SearchHeads, Forwarder(Heavy or Universal) and Deployment server

1. Unzip ipinfo_app.spl
2. Copy the unzipped directory ipinfo_app to deployment server in $SPLUNK_HOME/etc/deployment-apps/
3. Add following to serverclass.conf

[serverClass:<SEARCHHEAD_SERVERCLASS>:app:< ipinfo_app >]
stateOnClient=enabled
restartSplunkd=true

4. Open CLI deploy the apps using following command

./splunk reload deploy-server

Single Site clustered Indexer, Clustered Search heads and Forwarder (Heavy or Universal).

1. Unzip ipinfo_app.spl
2. Copy ipinfo_app to Deployer server in $SPLUNK_HOME/etc/shcluster/apps/
3. Open the CLI on Deployer and deploy the app on Search Head Cluster using following command:

./splunk apply shcluster-bundle -target <URI>:<management_port> -auth
<username>:<password>

Post-install configuration:

1. After installation and restart, log in to the Splunk web and go to 'Manage'.
2. It will list all the installed applications and their configuration options.
3. Look for 'IPINFO' and click on the 'Set-Up' link to configure the add-on.
4. Make sure to restart the Splunk instance after setting up the app. In the case of the Search Head Cluster, each search needs to be restarted or a rolling restart must be initiated to make all changes work properly.

Installation from the Web Interface (Manual)

1. On the Splunk Home Page, Click on "Manage"
2. On the Manage Apps page, Click on "Install app from file"
3. Select path for IPINFO Splunk app .spl file and Click "Upload"
4. It is good practice to restart the Splunk, please restart.

Splunk Integration: IP Database Downloads

Please note that currently the app may use some of our legacy schema variants of the IP Database Downloads. If you want to use our new (*schema) IP database downloads or custom IP database download, please let us know.

1. To use our IP Database Downloads, make sure to check the "Database (MMDB)" field.

2. After that, select the databases you want to access. The "Country ASN MMDB" is available to all users for free. The rest of the databases require a paid subscription. Please note that you can also choose the update cadence.

Currently (October 25, 2025), the following databases are available. Please note that some of these IP databases use the legacy schema, but the underlying data is identical to our new database.

Field Reference

For reference, here are all available fields organized by data type:

Now you have selected the IP databases that you will work with on Splunk.

1. After completing the setup, you should initiate the database with a forced refresh. After the forced refresh, the database will be updated on the update cadence you have selected automatically.

You can check the overview page to see if your downloads have been completed.

Note that we generally recommend setting up the Splunk app using the IP database downloads, as with this configuration you can have access to both the database downloads and API service. However, if you set up the app with the API configuration, you only have access to the API data.

Note: MMDB is downloaded in /lookups section of app directory. And does not overwrite splunk’s default MMDB.

Splunk Integration: API Service

Please note that the app currently does not support the updated API system (api.ipinfo.io). The app relies on the legacy API (ipinfo.io). If you want to use our updated API system (Lite, Core, Plus, etc.) in Splunk, let the IPinfo team know.

To use our API service, make sure to check the "API" field.

You can set up the proxy settings if you want as well.

Please note that in the search operation, you can use the API service even when the app is set for IP database downloads by using the restapi parameter set to true. However, you can only use the IP database downloads for lookups when the app is not set up for the API. It is recommended that you set the app for database downloads only and use the API service through the restapi parameter set to true.

Splunk Integration: App Overview

The IPinfo Splunk App includes functionality and information across several tabs. They are described below.

Overview

High-level overview of the IPinfo Splunk App. Contains usage metrics across the API service, IP database, and the MMDB status section, which shows which MMDBs are available to be used along with timestamp and size metadata information.

IPinfo

The single IP lookup interface section can be used to look up IP addresses against the API or IP database downloads. The location information is utilized to present map details. Also, you have the option to export the IP data enrichment as a PDF or print it.

Search

The search functionality allows you to use the Splunk Search Processing Language (SPL) syntax to enrich IP addresses using the ipinfo command. A detailed overview of this section is provided in the Usage section.

Log Status

Shows operational activity. This could be related to file downloads, errors, and other log information.

Refresh

This section is used for hard forced refresh of IP database downloads ahead of the regularly scheduled update time.

Documentation

The documentation section redirects the user to the IPinfo Splunk full documentation guide.

Splunk Integration: Usage

After the setup is complete, you can begin looking up some IP addresses. Go to the "IPinfo" tab and look up an IP address. You will receive the information available from the IP databases you have set up.

The location information comes from your API subscription (if you have set up the API) or the standard_location.mmdb file (if you have set up the database download), and the other information comes from the other databases you have set up or the API data you have access to.

For example, on the API setup, this is what the overview page looks like if you are on the IPinfo Business plan that gives you access to location, ASN, company, carrier, domains, privacy, and abuse data.

On the IP database setup, this is what the overview page looks like if you have access to the IP to location, IP to Country ASN, and IP to Privacy Database. Note that the other database sections like company, carrier, etc. have N/A as their values as we have not set up those databases.

Aside from singular IP lookups from the IPinfo tab, you can use the full search functionality available in Splunk. You can perform log enrichment and more, as well as real-time IP enrichment with the available database. The Splunk app uses binary MMDB files, so lookups are extremely fast. And since you are using an offline database, there are no request limits or usage limits.

The search tab fully supports Splunk Search Processing Language (SPL) syntax. You can use it to perform IP address extraction, filtering, IP metadata analysis, aggregation, etc. Instructions related to SPL have been skipped in this documentation.

IPinfo Command Parameters

The ipinfo command accepts the following parameters. All boolean parameters default to false unless specified:

Notes:

• If you do not specify any data parameter, the default response will be IP to Location data.
• country_asn is only available in IP database download setup.
• restapi=true uses the API endpoint with your database download access token.
• alltypes=true returns all information available across all database downloads or API accesses.

You can add two or more flags in single search query.

To keep things simple, we can perform dummy lookups using random IP addresses (random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, IP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'). In real-world applications, you will pass your IP addresses from web traffic logs here.

Please remember that location information is our default response. Simply use the 'ipinfo' command to retrieve location information for the IP addresses being looked up.

ipinfo <ip>: Single IP address lookup.

| makeresults 
| eval IP="1.0.178.0"
| ipinfo IP

ipinfo <ip>: Multiple rows (2000) of singular IP address lookup.

| makeresults count=2000
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, IP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time IP
| ipinfo IP

ipinfo <ip1> <ip2>: Multiple rows (100) of multiple (SRCIP, DESTIP) IP address lookup.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, DESTIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP DESTIP
| ipinfo SRCIP DESTIP

ipinfo prefix=true <ip>: The prefix=true can be thought of as an input column name addition. When you add prefix=true before each column, your input parameter column name will be added. If you are looking up singular IP addresses, you will get city, region, etc., and with prefix=true and your column name being SRCIP, it will become SRCIP_city, SRCIP_region, etc. Note that if you are looking up multiple columns of IP addresses (ipinfo SRCIP DESTIP), the prefix is automatically set to true.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo prefix=true SRCIP

Alternative Search Commands

In addition to the main ipinfo command with parameters, the app also provides dedicated search commands for specific use cases:

• ipinfolite - Look up IP addresses using the Lite database/API
• ipinfocore - Look up IP addresses using the Core database/API
• ipinfoplus - Look up IP addresses using the Plus database/API
• ipinforesproxy - Look up residential proxy data via MMDB or REST API

These commands can be used as alternatives to the ipinfo command with parameters. For example:

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfocore SRCIP

Using Parameters with Main ipinfo Command

For most use cases, we recommend using the main ipinfo command with parameters:

I am looking up the IP to Company data from the API service:

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP company=true

You can even combine multiple different IP metadata parameters. For example, here we are looking up both ASN information and IP to Abuse Contact information simultaneously (asn=true abuse=true) from the API service:

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP asn=true abuse=true

ipinfo <ip> alltypes=true: Returns all the information that your access token has access to. If you have set up the API, it will return all the information you have access to.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP alltypes=true

If you have set up the IP database downloads, it will use the available database downloads. In this example, I have the location, privacy, and country as database setup.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP alltypes=true

ipinfo <ip> restapi=true: When you have set up the IP database downloads you can still get the API response by setting restapi=true. This will use the access token you have used to download the IP address database.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP restapi=true

By setting restapi=true, your search operation will only look up the IP address using the API. It will not use the database downloads for the lookup, not even for the location lookup. For example, setting country_asn=true will not work when restapi=true. However, if you do not have access to a certain database but you have access to certain IP metadata through the API, you can look them up.

For example, in this setup, I do not have access to download the IP to Company database, but I have access to the IP to Company API service. This means by setting restapi=true and company=true, we can get the IP to Company data from the API.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP restapi=true company=true

Even though you have set the app for IP database downloads, by using restapi=true, you can also get all the data from the API service using the alltypes=true function parameter.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP restapi=true alltypes=true

ipinfo <ip> resproxy=true: Look up residential proxy detection data for IP addresses.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP resproxy=true

This will return fields like resproxy_last_seen, resproxy_percent_days_seen, and resproxy_service for each IP address.

ipinfo <ip> resproxy=true resproxy_lookback=7: Use a specific lookback window (7 or 30 days) for residential proxy data. If you are using the default resproxy database, there is no need to set the resproxy_lookback parameter.

| makeresults count=100
| eval IP1=random()%192, IP2=random()%210, IP3=random()%230, IP4=random()%192, SRCIP='IP1'.".".'IP2'.".".'IP3'.".".'IP4'
| table _time SRCIP
| ipinfo SRCIP resproxy=true resproxy_lookback=7

Troubleshooting

Common Issues and Solutions

Network and Firewall Requirements

The IPinfo Splunk App requires outbound HTTPS (port 443) access from the Splunk server to the following domains:

• ipinfo.io and *.ipinfo.io (including api.ipinfo.io) - Used for REST API lookups and MMDB database downloads
• storage.googleapis.com - MMDB downloads redirect to this domain for file delivery

Ensure these domains are allowlisted in your firewall or proxy configuration. If you are using the MMDB-only setup without API lookups, outbound access is still required for the initial database download and scheduled updates.

If your organization uses an SSL-intercepting proxy or TLS inspection, you may need to configure the app's ca_cert_path setting with your organization's CA certificate to avoid SSL verification errors. Verify that your proxy settings are correct if using the app's built-in proxy support. See the Proxy Settings and SSL/TLS Settings sections in the Configuration Reference for details.

Check the Log Status dashboard for specific SSL or connection error messages.

Permission Errors on API Lookups or Manual Refresh

The IPinfo Splunk App stores the API token and proxy password in Splunk's credential store (storage/passwords). By default, only users with the admin_all_objects capability can access these credentials.

For non-admin users to perform operations that require the API token (such as REST API lookups, manual MMDB refresh, or any command with restapi=true), a Splunk admin must grant the list_storage_passwords capability to the appropriate role.

• Local MMDB queries and automatic scheduled MMDB downloads are not affected
• The list_storage_passwords capability grants access to credentials across Splunk by default. Admins can restrict this using Splunk's RBAC controls in metadata/local.meta to limit access to only the IPinfo app's credentials. See Splunk's secret storage access control documentation for details

MMDB Files Not Found

• Check the Log Status dashboard for download errors
• Use the Manual Refresh dashboard to force a refresh
• Verify your API token has permissions to download that MMDB file
• Ensure the scheduled searches are enabled

API Token Issues

• Ensure the token is correctly set in the app configuration
• Verify the token has access to the required data products
• Check that the token hasn't expired or been revoked
• Review the Log Status dashboard for authentication errors

Version Compatibility

• Ensure Splunk version is 9.x or 10.x
• Check that all search heads in a cluster are running the same app version

SSL Certificate Verification Errors

• The most common cause is a corporate firewall or SSL-intercepting proxy that replaces certificates with its own. Configure the app's ca_cert_path setting with your organization's root CA certificate
• MMDB downloads redirect to storage.googleapis.com. Ensure this domain is also allowlisted in your firewall alongside ipinfo.io
• If you see CERTIFICATE_VERIFY_FAILED: self signed certificate in certificate chain, this typically indicates TLS inspection is active on your network

MMDB Downloads Failing with HTTP 401

• The app redirects MMDB downloads to a pre-signed URL on storage.googleapis.com. If your environment forwards the Authorization header to the redirect destination, the download will fail with a 401
• This has been resolved in app version 9.1.0 and later. Ensure you are running the latest version of the app from SplunkBase

Splunk Enterprise Security Compatibility

• Splunk Enterprise Security enforces SSL on internal REST endpoints. If MMDB downloads fail in an ES environment but work on a standalone instance, ensure you are running app version 9.2.0 or later, which uses the Splunk Python SDK for internal REST calls
• Check the Log Status dashboard and $SPLUNK_HOME/var/log/splunk/ipinfo/ for specific error details

Large MMDB File Size on Splunk Cloud

• Splunk Cloud has a 3 GB knowledge bundle size limit and an approximate 5 GB lookup file size limit
• Large MMDB files such as the Plus Bundle (~4.45 GB) or Residential Proxy MMDB may exceed the bundle replication limit
• The IPinfo app downloads the mmdb files to locally on the node performing the download at: $SPLUNK_HOME/etc/apps/ipinfo_app/lookups/<mmdb_name>.mmdb
• Set "Replicate on search heads" to "Externally" so each search head downloads directly from IPinfo, bypassing the bundle size constraint
• On Splunk Enterprise, you can alternatively increase the maxBundleSize setting.

Proxy Connection Issues

• Verify proxy host, port, and credentials are correct
• Check that proxy type (HTTP/SOCKS) matches your proxy server
• Test connectivity from the Splunk server directly: curl -x http://<proxy>:<port> https://ipinfo.io/data/free_country_asn.mmdb -I
• Review logs for specific proxy error messages

Configuration Errors on Windows

• On some Windows machines, the ip_info_setup.conf file may be saved with a UTF-8 BOM (Byte Order Mark), causing a MissingSectionHeaderError in the logs
• To fix this, open the file at $SPLUNK_HOME\etc\apps\ipinfo_app\local\ip_info_setup.conf in a text editor and convert it to "UTF-8 without BOM"

Getting Help

• Logs: Check Splunk logs and the app's Log Status dashboard for detailed error messages
• Support: Contact support@ipinfo.io for assistance
• Community: Visit IPinfo Community for peer support

Notes, FAQs and Advanced Operations:

Advanced options on database downloads

The IPinfo Splunk App uses MMDB files to perform IP address lookups. In distributed Splunk environments—such as Search Head Clusters (SHCs) and Indexer Clusters—you must decide how and where these MMDB files are downloaded and replicated.

The following settings control how the files are distributed and how lookups are executed across the cluster:

• Replicate on search heads — determines how MMDB files are shared within a Search Head Cluster.
• Replicate database to indexers — determines whether MMDB files should be sent to indexers so they can perform IPinfo lookups during search streaming, improving search performance.

These options affect download behavior, cluster bandwidth, search speed, and bundle size.

Replicate on Search Heads

This setting decides how MMDB files are shared among search heads in a Search Head Cluster.

• Internally: Use this option when you want only one Search Head to download the MMDB files from IPinfo.io. Splunk will then replicate these files to all other search heads in the cluster.
  • Reduces the number of external downloads
  • Can be slower overall because the primary SH must copy the MMDB to every peer
• Externally: Use this option when you want each Search Head to download its own MMDB files directly from IPinfo.io.
  • Faster because no inter-SH replication happens
  • Uses more outbound bandwidth because each SH downloads the file independently

Replicate Database to Indexers

This setting determines whether MMDB files are included in the knowledge bundle that gets replicated to indexers.

• When set to “Yes”
  • The MMDB files are distributed to indexers in the cluster
  • Enables a modified lookup mode so IPinfo lookups run in streaming mode, which can significantly improve search performance
  • Increases the size of the knowledge bundle that search heads push to indexers

Enable this if:

• You are running the IPinfo app on a Search Head Cluster, and
• You have an Indexer Cluster, and
• You want indexers to perform lookups as part of distributed search (for speed)

Replication Issues

Large MMDB files can cause replication problems in distributed Splunk environments. When either of the following settings is enabled:

• Replicate on search heads = Internally
• Replicate database to indexers = Yes

The MMDB files must be included in the knowledge bundle that Splunk replicates across the cluster. This can become an issue when using large MMDB packages—such as the Plus Bundle (approximately 4.45 GB)—because the bundle may exceed Splunk’s default size limits.

Symptoms

• Bundle replication failures
• Search head cluster members falling out of sync
• Indexers rejecting knowledge bundle pushes

You can address replication failures in one of two ways:

• Increase the maxBundleSize setting: Splunk limits knowledge bundle size to 2 GB by default. You can raise this limit by modifying the maxBundleSize parameter in the replicationSettings stanza. (Refer to the official Splunk documentation for the exact stanza and configuration path.)
• Switch "Replicate on search heads" to "Externally": This avoids adding the MMDB files to the replication bundle because each search head will download the database directly from IPinfo.io, bypassing the need for SH-to-SH replication.

Reference Tables

Saved Searches (MMDB Auto-Updates)

The app creates saved searches for automatic MMDB updates. These are disabled by default and can be enabled from the app setup:

The schedule can be customized to Daily, Weekly, or Monthly based on your requirements.

Configuration Reference

For advanced users, here are the key configuration parameters available in the IPinfo Splunk App. These can be configured through the app setup UI or by editing ip_info_setup.conf:

General Settings

Proxy Settings

SSL/TLS Settings

MMDB Settings

Each database has corresponding enable/interval settings:

Cluster Replication Settings

Note: Configuration changes may require a Splunk restart or app reload to take effect. In Search Head Clusters, ensure all members have consistent configuration.

We welcome your feedback and if you have any feature requests or need support using the IPinfo Splunk app, please create a post in our IPinfo Community or contact support@ipinfo.io.