tencent cloud

Cloud Log Service

IP Geographic Function

Download
포커스 모드
폰트 크기
마지막 업데이트 시간: 2026-06-25 10:00:15
IP functions can obtain IP address geographic information and security threat information based on IP addresses. This document introduces the basic syntax and examples of IP functions.

IP Address Function

IPv4 Only

Note:
The KEY field in the following functions indicates the log field (for example, ip) and its value is an IP address. If the value is an internal IP address or an invalid field, the value cannot be parsed and is displayed as NULL or Unknown.
Due to limitations in IP address allocation mechanisms, the IP address database cannot accurately cover the geographic information on all IP addresses. A small number of IP addresses may lack detailed geographic information or have inaccurate geographic information.
Function
Description
Examples

ip_to_country(KEY)

Analyzes the country or region of the target IP address and returns the country or region name.
* | SELECT ip_to_country(ip)

ip_to_country_code(KEY)

Analyzes the country or region code of the target IP address and returns the country or region code.
* | SELECT ip_to_country_code(ip)

ip_to_country_geo(KEY)

Analyzes the longitude and latitude of the country or region corresponding to the target IP address and returns the longitude and latitude of the country or region.
* | SELECT ip_to_country_geo(ip)

ip_to_province(KEY)

Analyzes the province of the target IP address and returns the province name.
* | SELECT ip_to_province(ip)

ip_to_province_code(KEY)

Analyzes the province code of the target IP address and returns the province code.
* | SELECT ip_to_province_code(ip)

ip_to_province_geo(KEY)

Analyzes the longitude and latitude of the province corresponding to the target IP address and returns the longitude and latitude of the province.
* | SELECT ip_to_province_geo(ip)

ip_to_city(KEY)

Analyzes the city associated with the destination IP address and returns the city name.
* | SELECT ip_to_city(ip)

ip_to_city_code(KEY)

Analyzes the city code of the target IP address and returns the administrative division code of the city. This function supports Chinese cities only.
* | SELECT ip_to_city_code(ip)

ip_to_city_geo(KEY)

Analyzes the longitude and latitude of the city corresponding to the target IP address and returns the longitude and latitude of the city. This function supports Chinese cities only.
* | SELECT ip_to_city_geo(ip)

ip_to_provider(KEY)

Analyzes the ISP to which an IP address belongs. The ISP's name is returned.
* | SELECT ip_to_provider(ip)

Support for IPv4 and IPv6

Note:
Due to copyright restrictions, this function is available only to a limited number of large customers. To request access, contact your Tencent Cloud technical service team for an evaluation.
When you use this function, if the SQL query returns more than 10,000 rows, the IP address parsing results for the rows beyond this limit are automatically hidden and displayed as Hiding Detailed Geolocation Data in IPv6 or NULL. This limitation applies only to the final SQL query results and does not affect the calculation accuracy of intermediate SQL processing steps.
The function for obtaining the network operator corresponding to an IP address, namely the ip_to_provider function, is not supported.
Due to limitations in IP address allocation mechanisms, the IP address database cannot accurately cover the geographic information on all IP addresses. A small number of IP addresses may lack detailed geographic information or have inaccurate geographic information.
Function
Description
Examples
ip_to_country(KEY,'enable_ipv6')
Analyzes the country or region of the target IP address and returns the country or region name.
* | SELECT ip_to_country(ip,'enable_ipv6')
ip_to_country_code(KEY,'enable_ipv6')
Analyzes the country or region code of the target IP address and returns the country or region code.
* | SELECT ip_to_country_code(ip,'enable_ipv6')
ip_to_country_geo(KEY,'enable_ipv6')
Analyzes the longitude and latitude of the country or region corresponding to the target IP address and returns the longitude and latitude of the country or region.
* | SELECT ip_to_country_geo(ip,'enable_ipv6')
ip_to_province(KEY,'enable_ipv6')
Analyzes the province of the target IP address and returns the province name.
* | SELECT ip_to_province(ip,'enable_ipv6')
ip_to_province_code(KEY,'enable_ipv6')
Analyzes the province code of the target IP address and returns the province code.
* | SELECT ip_to_province_code(ip,'enable_ipv6')
ip_to_province_geo(KEY,'enable_ipv6')
Analyzes the longitude and latitude of the province corresponding to the target IP address and returns the longitude and latitude of the province.
* | SELECT ip_to_province_geo(ip,'enable_ipv6')
ip_to_city(KEY,'enable_ipv6')
Analyzes the city associated with the destination IP address and returns the city name.
* | SELECT ip_to_city(ip,'enable_ipv6')
ip_to_city_code(KEY,'enable_ipv6')
Analyzes the city code of the target IP address and returns the administrative division code of the city. This function supports Chinese cities only.
* | SELECT ip_to_city_code(ip,'enable_ipv6')
ip_to_city_geo(KEY,'enable_ipv6')
Analyzes the longitude and latitude of the city corresponding to the target IP address and returns the longitude and latitude of the city. This function supports Chinese cities only.
* | SELECT ip_to_city_geo(ip,'enable_ipv6')

IP Range Functions

Note:
The KEY parameter in the functions below represents a log field (such as ip) with the value of an IP address.
In the ip_subnet_min, ip_subnet_max, and ip_subnet_range functions, the field value must be an IP address in subnet mask format (for example: 192.168.1.0/24). If the field value is a general IP address, you must use the concat function to convert it to subnet mask format.

IPv4 Only

Function Name
Description
Examples
ip_prefix
(KEY,prefix_bits)
Obtains the prefix of the target IP address and returns the IP address in subnet mask format. For example, 192.168.1.0/24.
* | SELECT ip_prefix(ip,24)
ip_subnet_min
(KEY)
Obtains the minimum IP address in an IP range and returns the IP address. For example, 192.168.1.0.
* | SELECT ip_subnet_min(concat(ip,'/24'))
ip_subnet_max
(KEY)
Obtains the maximum IP address in an IP range and returns the IP address. For example, 192.168.1.255.
* | SELECT ip_subnet_max(concat(ip,'/24'))
ip_subnet_range
(KEY)
Obtains the IP address range and returns the IP addresses in an Array. For example, ["172.16.0.0","172.16.0.255"].
* | SELECT ip_subnet_range(concat(ip,'/24'))
is_subnet_of(KEY)
Determines whether the target IP address is within an IP range and returns a Boolean value.
* | SELECT is_subnet_of('192.168.0.1/24', ip)
is_prefix_subnet_of(KEY)
Determines whether the target IP range is a subnet of a specified IP range and returns a Boolean value.
* | SELECT is_prefix_subnet_of('192.168.0.1/24',concat(ip, '/24'))

Support for IPv4 and IPv6

Function Name
Description
Examples
ip_to_domain
(KEY)
Determines whether the target IP address is a private network address or a public network address. Returns intranet for a private network address, internet for a public network address, and invalid for an illegal address.
* | SELECT ip_to_domain(ip)
ip_version(KEY)
Obtains the IP address version. The returned result is ipv4 or ipv6.
* | SELECT ip_version(ip)

IP Threat Detection Functions

Determine whether a specified IP address is malicious based on the security intelligence from the Tencent Security Threat Intelligence Center.
Note:
The KEY parameter in the functions below represents a log field (such as ip) with the value of an IP address.
The detection is based on big data from security intelligence. Its result indicates whether the IP address has exhibited malicious behavior in the past (for example, by launching injection attacks against a third-party system). This does not mean that the IP address necessarily exhibits malicious behavior in the current logs or the current system.
Function Name
Description
Examples
ip_threat(KEY)
Determines whether an IP address is malicious. Returns:
UNKNOWN: Unknown (no threat information detected).
SECURE: Secure.
SUSPICIOUS: Suspicious.
MALICIOUS: Malicious.
* | SELECT ip_threat(ip)
ip_threat_tags(KEY)
The threat tags of suspicious and malicious IP addresses, representing the specific malicious behaviors associated with that IP address. Returns an array.
* | SELECT ip_threat_tags(ip)
ip_threat_detail(KEY)
IP address threat detection details, returned as JSON. For example:
{
"reputation": "SECURE",
"tags": ["Tencent Business Scan"],
"extraInfo": {
"announcement": "This IP is the scanning IP for WeChat Official Accounts and Mini-Programs, which will regularly scan your data transmission to ensure smooth callbacks and stable services. If you detect scanning activities from this IP, please allow or whitelist it.",
"demo": "-",
"descibe": null,
"referer": "https://developers.weixin.qq.com/community/develop/doc/0000682a9aca4090cdfb008475b401"
},
"extraInfo_zh": {
"announcement": "This IP address is a scanning IP for WeChat Official Accounts and Mini Programs. It periodically scans your data transmissions to ensure smooth callbacks and stable service. If you detect scanning activities originating from this IP address, please allow or whitelist it...",
"demo": "-",
"descibe": null,
"referer": "https://developers.weixin.qq.com/community/develop/doc/0000682a9aca4090cdfb008475b401"
}
}
Among them:
reputation: Whether the IP address is malicious. Its content is the same as that of ip_threat(KEY).
tags: Threat tags for suspicious and malicious IP addresses. Its content is the same as that of ip_threat_tags(KEY).
extraInfo: Detailed description of the IP address. This information is available only for some secure (SECURE) IP addresses. For other IP addresses, please visit the Tencent Security Threat Intelligence Center to view it.
extraInfo_zh: Chinese version of the IP address detailed description.
* | SELECT ip_threat_detail(ip)

Threat Tag Description

Some common threat tags and their meanings are as follows:
Threat Tag
Description
Detailed Description
xx Exploit vulnerability
xx Vulnerability Exploitation
The IP address initiates attacks against users by exploiting specific vulnerabilities, such as Weblogic vulnerability exploitation.
xx attack
xx Attack
The IP address has launched specific types of attacks against users, such as CC attacks and credential stuffing attacks.
xx Scanning
xx Scanning
The IP address scans user assets by exploiting specific vulnerabilities, such as Zhiyuan OA scanning (Zhiyuan OA Scanning).
Brute force
Brute force
The IP address attempts passwords against user systems.
Proxy seconds dial
Proxy seconds dial
Proxy: This IP address was used as a proxy IP address by cybercriminals at a certain point in time.
Fast Dial: This IP address was identified as a fast dial IP address resource provided by cybercriminals at a certain point in time (cybercriminals use home broadband dial-up to hold malicious IP addresses for a certain period).
Environmental forgery
Environmental forgery
The IP address forges environments to bypass or deceive the service's security detection.
Network traffic risk control
Network traffic risk control
The traffic from this IP address triggered the network traffic risk control rules.
group control
Group control
The traffic from this IP address may originate from a group control platform or system.

Examples

The following are query and analysis statement examples of IP geographic functions. After performing such query and analysis operations, you can select appropriate statistics charts to display the query and analysis results.
Note:
In the following examples, the log field is ip.
Count the total number of requests that are not from the private network:
* | SELECT count(*) AS PV where ip_to_domain(ip)!='intranet'
Find the top 10 provinces with the largest total number of requests:
* | SELECT ip_to_province(ip) AS province, count(*) as PV GROUP BY province ORDER BY PV desc LIMIT 10
If the result includes requests from the private network and you want to exclude them, use the following query and analysis statement:
* | SELECT ip_to_province(ip) AS province, count(*) as PV where ip_to_domain(ip)!='intranet' GROUP BY province ORDER BY PV desc LIMIT 10
Collect the longitude and latitude statistics of IP addresses to determine client distribution:
* | SELECT ip_to_geo(ip) AS geo, count(*) AS pv GROUP BY geo ORDER BY pv DESC
Count malicious IP addresses and obtain the threat level, threat tag, and number of accesses for each IP address.
* |
select
ip,
CASE WHEN ip_threat(ip) = 'SUSPICIOUS' THEN 'Suspicious' WHEN ip_threat(ip) = 'MALICIOUS' THEN 'Malicious' END as "Threat Level",
ip_threat_tags(ip) as "Threat Tag",
count(*) as "Access Count"
where
ip_threat(ip) = 'SUSPICIOUS'
or ip_threat(ip) = 'MALICIOUS'
group by
ip
order by
count(*) desc
limit
10000


도움말 및 지원

문제 해결에 도움이 되었나요?

피드백