The geo_info_from_ip_address function in APL retrieves geographic information based on an IP address. It maps an IP address to attributes such as city, region, and country, allowing you to perform location-based analytics on your datasets. This function is particularly useful for analyzing web logs, security events, and telemetry data to uncover geographic trends or detect anomalies based on location.

#For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

['sample-http-logs']
| extend geo_info = geo_info_from_ip_address(client_ip)

['sample-http-logs']
| extend geo_info = geo_info_from_ip_address(client_ip)

#Usage

#Syntax

geo_info_from_ip_address(ip_address)

#Parameters

#Returns

A dynamic object containing the IP address’s geographic attributes (if available). The object contains the following fields:

#Use case example

Use geographic data to analyze web log traffic.

Query

['sample-http-logs']
| extend geo_info = geo_info_from_ip_address('172.217.22.14')

Run in Playground

Output

{
  "state": "",
  "longitude": -97.822,
  "latitude": 37.751,
  "country_iso": "US",
  "country": "United States",
  "city": "",
  "time_zone": "America/Chicago"
}

This query identifies the geographic location of the IP address 172.217.22.14.

#List of related functions

• has_any_ipv4: Matches any IP address in a string column with a list of IP addresses or ranges.
• has_ipv4: Checks if a single IP address is present in a string column.
• ipv4_is_in_range: Checks if an IP address is within a specified range.
• ipv4_is_private: Checks if an IPv4 address is within private IP ranges.

#IPv4 Examples

#Extract geolocation information from IPv4 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('172.217.11.4')

Run in Playground

#Project geolocation information from IPv4 address

['sample-http-logs']
| project ip_location=geo_info_from_ip_address('20.53.203.50')

Run in Playground

#Filter geolocation information from IPv4 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('20.53.203.50')
| where ip_location.country == "Australia" and ip_location.country_iso == "AU" and ip_location.state == "New South Wales"

Run in Playground

#Group geolocation information from IPv4 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('20.53.203.50')
| summarize Count=count() by ip_location.state, ip_location.city, ip_location.latitude, ip_location.longitude

Run in Playground

#IPv6 Examples

#Extract geolocation information from IPv6 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('2607:f8b0:4005:805::200e')

Run in Playground

#Project geolocation information from IPv6 address

['sample-http-logs']
| project ip_location=geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')

Run in Playground

#Filter geolocation information from IPv6 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')
| where ip_location.country == "United States" and ip_location.country_iso == "US" and ip_location.state == "Florida"

Run in Playground

#Group geolocation information from IPv6 address

['sample-http-logs']
| extend ip_location = geo_info_from_ip_address('2a03:2880:f12c:83:face:b00c::25de')
| summarize Count=count() by ip_location.state, ip_location.city, ip_location.latitude, ip_location.longitude

Run in Playground