The geo_info_from_ip_address function in APL retrieves geographic information based on an IP address. It maps an IP address to attributes such as city, region, and country, allowing you to perform location-based analytics on your datasets. This function is particularly useful for analyzing web logs, security events, and telemetry data to uncover geographic trends or detect anomalies based on location.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Usage

Syntax

geo_info_from_ip_address(ip_address)

Parameters

ParameterTypeDescription
ip_addressstringThe IP address for which to retrieve geographic information.

Returns

A dynamic object containing the IP address’s geographic attributes (if available). The object contains the following fields:

NameTypeDescription
countrystringCountry name
statestringState (subdivision) name
citystringCity name
latituderealLatitude coordinate
longituderealLongitude coordinate
country_isostringISO code of the country
time_zonestringTime zone in which the IP address is located

Use case example

Use geographic data to analyze web log traffic.

Query

['sample-http-logs']
| extend geo_info = geo_info_from_ip_address('172.217.22.14')

Run in Playground

Output

geo_info
{
  "state": "",
  "longitude": -97.822,
  "latitude": 37.751,
  "country_iso": "US",
  "country": "United States",
  "city": "",
  "time_zone": "America/Chicago"
}

This query identifies the geographic location of the IP address 172.217.22.14.

  • has_any_ipv4: Matches any IP address in a string column with a list of IP addresses or ranges.
  • has_ipv4: Checks if a single IP address is present in a string column.
  • ipv4_is_in_range: Checks if an IP address is within a specified range.
  • ipv4_is_private: Checks if an IPv4 address is within private IP ranges.

IPv4 Examples

Extract geolocation information from IPv4 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('172.217.11.4')

Run in Playground

Project geolocation information from IPv4 address

['sample-http-logs']
| project ip_location=geo_info_from_ip_address('20.53.203.50')

Run in Playground

Filter geolocation information from IPv4 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('20.53.203.50')
| where ip_location.country == "Australia" and ip_location.country_iso == "AU" and ip_location.state == "New South Wales"

Run in Playground

Group geolocation information from IPv4 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('20.53.203.50')
| summarize Count=count() by ip_location.state, ip_location.city, ip_location.latitude, ip_location.longitude

Run in Playground

IPv6 Examples

Extract geolocation information from IPv6 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('2607:f8b0:4005:805::200e')

Run in Playground

Project geolocation information from IPv6 address

['sample-http-logs']
| project ip_location=geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')

Run in Playground

Filter geolocation information from IPv6 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')
| where ip_location.country == "United States" and ip_location.country_iso == "US" and ip_location.state == "Florida"

Run in Playground

Group geolocation information from IPv6 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')
| summarize Count=count() by ip_location.state, ip_location.city, ip_location.latitude, ip_location.longitude

Run in Playground