icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Spur Enrichment for Splunk
SHA256 checksum (spur-enrichment-for-splunk_1015.tgz) 783c5382dffbebd20c830533c418b414e376e3f641353305b61aa88735f279ab SHA256 checksum (spur-enrichment-for-splunk_1014.tgz) d60d7251669e63aafd693719bd13b22acb72ec53219045581dc369ea9e85b6c6 SHA256 checksum (spur-enrichment-for-splunk_1012.tgz) 24161178c26280b06ed206bd9b0a9b57250337fb1155c06e3905d247deb867a6 SHA256 checksum (spur-enrichment-for-splunk_1011.tgz) 799c472928201e45287368689a4f5e4319db4c58f07cb7a4fe9dd4e6d7dbba34 SHA256 checksum (spur-enrichment-for-splunk_1010.tgz) bbf37904ff7772f56d5e5fe84875683dc870e82c4d8feb41dd04a8d601a0e94f SHA256 checksum (spur-enrichment-for-splunk_109.tgz) 309b5914fdbaa9875cb7b2417782d731cc67edbc145790468dc45fddb8b25dd5 SHA256 checksum (spur-enrichment-for-splunk_108.tgz) 8aa5a8291a5e80b1174f28b29025258e7b4212e061ab191ee41f278cda5cac99 SHA256 checksum (spur-enrichment-for-splunk_107.tgz) b30898ee75fbf286af4b34a360dfa4c6c203c477af6f74ffdfcc805a07951b08 SHA256 checksum (spur-enrichment-for-splunk_106.tgz) 89b224c2a3de1ec9a4afd3cf82b211130d5c1cc8ad22ccbaa9de14f2b2ebecea SHA256 checksum (spur-enrichment-for-splunk_105.tgz) 49965a9bf204cb11d60e7edaecaa617ec362cc0856166058f5f01cd673446cf5 SHA256 checksum (spur-enrichment-for-splunk_103.tgz) f364129b6baaaea4dfe15e247a698358729f9bb6b9de50a326c0675b92577a03 SHA256 checksum (spur-enrichment-for-splunk_102.tgz) b33ef4cca66c76a746c141e8fbac11f439d2270e25a8c5926f2d03103f0a3e49 SHA256 checksum (spur-enrichment-for-splunk_101.tgz) ef7cf40f1d99a88a7657e3f076ecbbd4d66f5da8dd3733e2024a6be1f292201a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Spur Enrichment for Splunk

Splunk Cloud
Overview
Details
Official Spur Splunk Application. Enhance your Splunk experience with the Spur Enrichment for Splunk App. This application integrates with Spur products, providing you with enriched data and insights right in your Splunk environment. Generate events based on IP inputs, enrich existing events with data from the Spur Context API, and insert feed data into a Splunk index with our modular input feature.

The Spur Splunk App requires an active Spur subscription and specific user privileges for installation.

Once installed, you can utilize our search commands and modular input features to generate and enrich your data.

Get the most out of your data with the Spur Splunk App. Download today and start exploring your data in new ways.

Search Commands

Generating command

This command generates an event based an on input ip. It uses the Spur Context API so you must have an active Spur subscription. The command takes 1 argument 'ip' which is the ip that will be passed to the context api.

Examples

Single IP:

| spurcontextapigen ip="1.1.1.1"

Multiple IPs:

| spurcontextapigen ip="1.1.1.1,8.8.8.8"

Streaming command

This command enriches existing events with data from the Spur Context API. It uses the Spur Context API so you must have an active Spur subscription. The command takes 1 argument 'ip_field' which is the field that contains the ip that will be passed to the context api.

Examples

NOTE: This assumes you have uploaded the splunk tutorial data: https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchTutorial/GetthetutorialdataintoSplunk

Simple example:

| makeresults
| eval ip = "1.1.1.1"
| spurcontextapi ip_field="ip"

Basic IP Query:

clientip="223.205.219.67" | spurcontextapi ip_field="clientip"

Enrich a list of distinct IPs:

clientip=* | head 1000 | stats values(clientip) as "ip" | mvexpand ip | spurcontextapi ip_field="ip"

Modular Input (Feed integration)

The modular input allows you to insert feed data into a splunk index. It uses the Spur Feed API so you must have an active Spur subscription. The modular input takes 2 arguments: 'Feed Type', 'Enable Checkpoint Files'. The feed type is the type of feed you want to pull from the Spur API and depends on your subscription level (anonymous, anonymou-residential, realtime). The enable checkpoint files option will ensure that the same feed file will not be processed multiple times. During setup you can override the splunk defaults to insert into a different index. You can also utilize the interval setting to ensure the feed is ingested at your desired interval.

Setup

  1. Setup a new data input. Settings -> Data Inputs
  2. Select "Spur Feed"
  3. Click the new button
  4. Give the input a name
  5. Input your feed type
  6. Enable checkpointing if needed. This is recommended for large daily feeds with an interval defined, it will be ignored for realtime.
  7. Check 'More Settings' to configure the details of the input. This is optional but is recommended if you want to override the default index and specify an interval.
  8. Click next
  9. Depending on your interval settings data may begin ingesting right away. Depending on the feed type it can take several minutes to ingest all the data.

NOTE: You can monitor the progress of the feed by looking at the logs. The logs are logged locally to /opt/splunk/var/log/splunk/spur.log. This can be viewed directly or added to splunk as a data input.

Examples

index="spur" earliest_time=@d | head 1000

IP Geo

Using Spur IP Geo with built in 'iplocation' command

You can enhance Splunk's built-in iplocation command by replacing the default IP geolocation database with Spur's more accurate and comprehensive IP geolocation data. This allows you to leverage Spur's superior IP intelligence while using Splunk's native iplocation command syntax.

Setup

  1. Download the Spur IP Geo database: Download the latest version of the Spur IP geolocation database from:
    https://feeds.spur.us/v2/ipgeo/latest.mmdb

  2. Replace the default database using Splunk Web Interface (Recommended):

  3. Navigate to Settings > Lookups > GeoIP lookups file
  4. Click Choose File and select the downloaded Spur .mmdb file
  5. Click Save to upload and replace the existing GeoIP database
  6. Splunk will automatically restart the necessary services

Alternative - Manual file replacement:
- Copy the downloaded .mmdb file to your Splunk installation directory:
- Default location: $SPLUNK_HOME/share/GeoLite2-City.mmdb
- Or configure a custom path using the db_path setting in limits.conf
- Restart your Splunk instance to load the new database file

Configuration Options

To use a custom file path or name, add the following to your limits.conf file:

[iplocation]
db_path = /path/to/your/spur-ipgeo.mmdb

For distributed deployments, ensure the .mmdb file is deployed to all indexers as it's not automatically included in the knowledge bundle.

Example Usage

Test the enhanced IP geolocation with a simple example:

| makeresults 
| eval ip="8.8.8.8" 
| iplocation ip

This will return enhanced location data powered by Spur's IP intelligence, including more accurate city, country, region, latitude, and longitude information.

Spur IP Geo modular input

The Spur IP Geo modular input allows you to automatically ingest IP geolocation data into a locally stored mmdb. You must have an active Spur subscription with access to the IP Geo feed.

Setup

  1. Setup a new data input. Settings -> Data Inputs
  2. Select "Spur Feed"
  3. Click the new button
  4. Give the input a name
  5. Input ipgeo as your feed type
  6. Check 'More Settings' to configure the details of the input. This is optional but is recommended if you want to specify an interval for weekly downloads.
  7. Click next
  8. Depending on your interval settings data may begin ingesting right away.

Spur IP Location Command

The app includes a spuriplocation command that enriches events with comprehensive IP geolocation data from the Spur IP Geo MMDB. This command can be used as an enhanced replacement for Splunk's built-in iplocation command, providing more detailed geographic and network information.

Prerequisites: This command depends on the Spur IP Geo modular input. Please configure the IP Geo feed input first before using this command.

Basic Usage

| makeresults 
| eval ip="1.1.1.1" 
| spuriplocation ip_field=ip

Options

  • ip_field (required): The field containing the IP address to look up
  • fields (optional): Comma-separated list of fields to include in the output. If not specified, all fields are included.

Available Fields

The spuriplocation command supports the following fields. You can use either the short field names or full field names when specifying the fields option:

Short Name Full Field Name Description
country spur_location_country Country name (English)
country_iso spur_location_country_iso ISO country code (e.g., "US")
country_geoname_id spur_location_country_geoname_id GeoNames database ID for country
subdivision spur_location_subdivision State/province name (English)
subdivision_geoname_id spur_location_subdivision_geoname_id GeoNames database ID for subdivision
city spur_location_city City name (English)
city_geoname_id spur_location_city_geoname_id GeoNames database ID for city
continent spur_location_continent Continent name (English)
continent_code spur_location_continent_code Continent code (e.g., "NA")
continent_geoname_id spur_location_continent_geoname_id GeoNames database ID for continent
registered_country spur_location_registered_country Registered country name (English)
registered_country_iso spur_location_registered_country_iso Registered country ISO code
registered_country_geoname_id spur_location_registered_country_geoname_id GeoNames ID for registered country
latitude spur_location_latitude Latitude coordinate
longitude spur_location_longitude Longitude coordinate
accuracy_radius spur_location_accuracy_radius Accuracy radius in kilometers
timezone spur_location_timezone Timezone (e.g., "America/Chicago")
as_number spur_as_number Autonomous System number
as_organization spur_as_organization Autonomous System organization name
error spur_error Error message (if any)

Usage Examples

Basic IP lookup with all fields:

| makeresults 
| eval ip="8.8.8.8" 
| spuriplocation ip_field=ip

Get only basic location information:

| makeresults 
| eval ip="8.8.8.8" 
| spuriplocation ip_field=ip fields="country,subdivision,city"

Get coordinates only:

| makeresults 
| eval ip="8.8.8.8" 
| spuriplocation ip_field=ip fields="latitude,longitude"

Get network information:

| makeresults 
| eval ip="8.8.8.8" 
| spuriplocation ip_field=ip fields="as_number,as_organization"

Enrich existing log data:

index=web_logs 
| head 1000 
| spuriplocation ip_field=client_ip fields="country,city,latitude,longitude"

Get detailed country information with IDs:

| makeresults 
| eval ip="8.8.8.8" 
| spuriplocation ip_field=ip fields="country,country_iso,country_geoname_id"

Mixed field specification (short and full names):

| makeresults 
| eval ip="8.8.8.8" 
| spuriplocation ip_field=ip fields="country,spur_location_latitude,as_number"

Schema

Search Commands

The following fields are returned from the context api and added to the steamed records:

"spur_as_number"
"spur_as_organization"
"spur_organization"
"spur_infrastructure"
"spur_client_behaviors"
"spur_client_concentration_country"
"spur_client_concentration_city"
"spur_client_concentration_geohash"
"spur_client_concentration_density"
"spur_client_concentration_skew"
"spur_client_countries"
"spur_client_spread"
"spur_client_proxies"
"spur_client_count"
"spur_client_types"
"spur_location_country"
"spur_location_state"
"spur_location_city"
"spur_services"
"spur_tunnels_type"
"spur_tunnels_anonymous"
"spur_tunnels_operator"
"spur_risks"

Feed

The records from the feed are inserted with no modifications. The adhere to the following JSON schema:

{
  "type": "object",
  "description": "IP Context Object",
  "additionalProperties": false,
  "properties": {
    "ip": {
      "type": "string"
    },
    "as": {
      "type": "object",
      "properties": {
        "number": {
          "type": "integer"
        },
        "organization": {
          "type": "string"
        }
      }
    },
    "organization": {
      "type": "string"
    },
    "infrastructure": {
      "type": "string"
    },
    "client": {
      "type": "object",
      "properties": {
        "behaviors": {
          "type": "array",
          "uniqueItems": true,
          "items": {
            "type": "string"
          }
        },
        "concentration": {
          "type": "object",
          "properties": {
            "country": {
              "type": "string"
            },
            "state": {
              "type": "string"
            },
            "city": {
              "type": "string"
            },
            "geohash": {
              "type": "string"
            },
            "density": {
              "type": "number",
              "minimum": 0,
              "maximum": 1
            },
            "skew": {
              "type": "integer"
            }
          }
        },
        "countries": {
          "type": "integer"
        },
        "spread": {
          "type": "integer"
        },
        "proxies": {
          "type": "array",
          "uniqueItems": true,
          "items": {
            "type": "string"
          }
        },
        "count": {
          "type": "integer"
        },
        "types": {
          "type": "array",
          "uniqueItems": true,
          "items": {
            "type": "string"
          }
        }
      }
    },
    "location": {
      "type": "object",
      "properties": {
        "country": {
          "type": "string"
        },
        "state": {
          "type": "string"
        },
        "city": {
          "type": "string"
        }
      }
    },
    "services": {
      "type": "array",
      "items": {
        "type": "string"
      }
    },
    "tunnels": {
      "type": "array",
      "uniqueItems": true,
      "items": {
        "type": "object",
        "properties": {
          "anonymous": {
            "type": "boolean"
          },
          "entries": {
            "type": "array",
            "uniqueItems": true,
            "items": {
              "type": "string"
            }
          },
          "operator": {
            "type": "string"
          },
          "type": {
            "type": "string"
          },
          "exits": {
            "type": "array",
            "uniqueItems": true,
            "items": {
              "type": "string"
            }
          }
        },
        "required": ["type"]
      }
    },
    "risks": {
      "type": "array",
      "uniqueItems": true,
      "items": {
        "type": "string"
      }
    }
  },
  "required": ["ip"]
}

Release Notes

Version 1.0.15
May 28, 2025

Added IP Geo feed support

Version 1.0.14
April 22, 2025
Version 1.0.12
Oct. 8, 2024
Version 1.0.11
June 21, 2024
Version 1.0.10
May 2, 2024

Added support for anonymous-ipv6 and anonymous-residential-ipv6 feeds in Splunk Data Inputs

Version 1.0.9
April 17, 2024

Updated installation instructions to include list_settings as a required capability for users.

Version 1.0.8
April 7, 2024

Fix bug in spurcontextapi command where ip data was not being populated

Version 1.0.7
Feb. 29, 2024
Version 1.0.6
Jan. 30, 2024
Version 1.0.5
Jan. 9, 2024

Fixed bug where ipv6 addresses would not be enriched, fix bug where when the first input resulted in an error subsequent results would not show all available enrichment fields

Version 1.0.3
Jan. 9, 2024

Set python version to be python 3 in commands.conf

Version 1.0.2
Dec. 13, 2023

Adjusted schema in output of spurcontextapi to use arrays instead of joined strings.
Fix issue where app doesn't work in a distributed environment.

Version 1.0.1
Nov. 27, 2023
  1. Allow for multiple IPs in spurcontextapigen
  2. User configurable threshold for web notifications on when Context API queries are almost depleted
  3. Web notifications when a feed has been ingested
  4. Web notifications when an error is encountered during feed ingestion
  5. Improved error handling for Context API queries and feed ingestion
  6. Improved checkpoint file logic

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.