top of page


Kibana GeoIP example: How to index geographical location of IP addresses into Elasticsearch

Updated: Sep 14, 2020

The relation between your IP address and geolocation is very simple. There are numerous websites available as of today like Maxmind, IP2Location, IPstack , Software77 etc where you can track the geolocation of an IP address. What's the benefit? It's very simple, it gives you another dimension to analyze your data.

Let's say my data predicts that most of the users traffic is coming from It doesn't make complete sense until I say most of the traffic is coming from New Jersey.

When I say geolocation it includes multiple attributes like city, state, country, continent, region, currency, country flag, country language, latitude, longitude etc. Most of the websites which provide geolocation are paid sites.

But there are few like IPstack which provides you free access token to make calls to their rest API's. Still there are limitations like how many rest API calls you can make per day and also how many types of attributes you can pull. Suppose I want to showcase specific city in the report and API provides limited access to country and continent only, then obviously that data is useless for me.

Now the best part is Elastic stack provides you free plugin called "GeoIP" which grants you access to lookup millions of IP addresses. You would be thinking from where it gets the location details? The answer is Maxmind which I referred earlier. GeoIP plugin internally does a lookup from stored copy of Maxmind database which keeps on updating and creates number of extra fields with geo coordinates (longitude & latitude). These geo coordinates can be used to plot maps in Kibana.

ELK Stack Installation

I am installing ELK stack on Mac OS, for installation on Linux machine refer this. ELK installation is very easy on Mac with Homebrew. It's hardly few minutes task if done properly.

1. Homebrew Installation

Run this command on your terminal. If you have already installed Homebrew move to the next step, or if this command doesn't work - copy it from here.

$ /usr/bin/ruby -e "$(curl -fsSL"

2. Java Installation

Check if java is installed on your machine.

$ java -version

java version "9.0.1"

If java is not installed, run following steps to install java.

$ brew tap caskroom/cask

$ brew cask install java

$ brew cask info java

3. Elasticsearch Installation

$ brew tap elastic/tap

$ brew install elastic/tap/elasticsearch-full

$ elasticsearch

If you see all INFO without any error, that means installation went fine. Let this run, don't kill the process.

Now, simply open localhost:9200 in your local browser. You will see elasticsearch version.

[TIP] You might face permission issue if you are not logged in with root user. To enable root user on Mac you can follow this. It's due to security reasons that root user is disabled by default on Mac.

However another solution is to change folder permission itself. Run these commands if you want to change folder permissions,

$ sudo chown -R $(whoami) /usr/local/include /usr/local/lib/pkgconfig

$ chmod u+w /usr/local/include /usr/local/lib/pkgconfig

Install xcode if it's missing,