diff --git a/src/assets/images/ruleset-engine/language/expression-builder.png b/src/assets/images/ruleset-engine/language/expression-builder.png
index 9c9ce96836eb14..7b365b4b958414 100644
Binary files a/src/assets/images/ruleset-engine/language/expression-builder.png and b/src/assets/images/ruleset-engine/language/expression-builder.png differ
diff --git a/src/assets/images/ruleset-engine/language/expression-editor.png b/src/assets/images/ruleset-engine/language/expression-editor.png
index 476877c7723212..05fbf42a77df1a 100644
Binary files a/src/assets/images/ruleset-engine/language/expression-editor.png and b/src/assets/images/ruleset-engine/language/expression-editor.png differ
diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
index 8eda717df36266..4090ada36803e1 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
@@ -6,12 +6,11 @@ sidebar:
 head:
   - tag: title
     content: Override expressions for HTTP DDoS Attack Protection
-
 ---
 
 :::note
 
-Only available to Enterprise customers with the Advanced DDoS Protection subscription. 
+Only available to Enterprise customers with the Advanced DDoS Protection subscription.
 :::
 
 Set an override expression for the HTTP DDoS Attack Protection managed ruleset to define a specific scope for [sensitivity level](/ddos-protection/managed-rulesets/http/override-parameters/#sensitivity-level) or [action](/ddos-protection/managed-rulesets/http/override-parameters/#action) adjustments.
@@ -36,11 +35,11 @@ You can use the following fields in override expressions:
 - `http.request.cookies`
 - `http.user_agent`
 - `http.x_forwarded_for`
-- `ip.geoip.asnum`
-- `ip.geoip.continent`
-- `ip.geoip.country`
-- `ip.geoip.is_in_european_union`
 - `ip.src`
+- `ip.src.asnum`
+- `ip.src.continent`
+- `ip.src.country`
+- `ip.src.is_in_european_union`
 - `ssl`
 - `cf.tls_client_auth.cert_verified`
 
diff --git a/src/content/docs/logs/get-started/enable-destinations/splunk.mdx b/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
index 9d6c98df62cfda..dc3023f416149d 100644
--- a/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
@@ -6,10 +6,9 @@ sidebar:
 head:
   - tag: title
     content: Enable Logpush to Splunk
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare dashboard or via API.
 
@@ -20,25 +19,27 @@ Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare d
 5. In **Select a destination**, choose **Splunk**.
 
 6. Enter or select the following destination information:
-   * **Splunk raw HTTP Event Collector URL**
-   * **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
-   * **Auth Token**
-   * **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
-   * **Use insecure skip verify option** (not recommended).
+   - **Splunk raw HTTP Event Collector URL**
+   - **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
+   - **Auth Token**
+   - **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
+   - **Use insecure skip verify option** (not recommended).
 
 When you are done entering the destination details, select **Continue**.
 
 7. Select the dataset to push to the storage service.
 
 8. In the next step, you need to configure your logpush job:
-   * Enter the **Job name**.
-   * Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](/logs/reference/filters/) for more information. Not all datasets have this option available.
-   * In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
+
+   - Enter the **Job name**.
+   - Under **If logs match**, you can select the events to include and/or remove from your logs. Refer to [Filters](/logs/reference/filters/) for more information. Not all datasets have this option available.
+   - In **Send the following fields**, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.
 
 9. In **Advanced Options**, you can:
-   * Choose the format of timestamp fields in your logs (`RFC3339`(default),`Unix`, or `UnixNano`).
-   * Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
-   * Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
+
+   - Choose the format of timestamp fields in your logs (`RFC3339`(default),`Unix`, or `UnixNano`).
+   - Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
+   - Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
 
 10. Select **Submit** once you are done configuring your logpush job.
 
@@ -49,12 +50,8 @@ To set up a Splunk Logpush job:
 1. Create a job with the appropriate endpoint URL and authentication parameters.
 2. Enable the job to begin pushing logs.
 
-:::note[Note]
-
-
+:::note
 Unlike configuring Logpush jobs for AWS S3, GCS, or Azure, there is no ownership challenge when configuring Logpush to Splunk.
-
-
 :::
 
 <Render file="enable-read-permissions" />
@@ -63,34 +60,33 @@ Unlike configuring Logpush jobs for AWS S3, GCS, or Azure, there is no ownership
 
 To create a job, make a `POST` request to the Logpush jobs endpoint with the following fields:
 
-* **name** (optional) - Use your domain name as the job name.
-* **destination\_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
-
-  * **\<SPLUNK\_ENDPOINT\_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
-    * Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
-    * Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
-    * Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
-    * You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
-  * **\<SPLUNK\_CHANNEL\_ID>**: A unique channel ID. This is a random GUID that you can generate by:
-    * Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
-    * Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
-  * **\<INSECURE\_SKIP\_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
-
-:::note[Note]
-
-Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information. 
+- **name** (optional) - Use your domain name as the job name.
+- **destination_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
+
+  - **\<SPLUNK_ENDPOINT_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
+    - Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
+    - Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
+    - Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
+    - You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
+  - **\<SPLUNK_CHANNEL_ID>**: A unique channel ID. This is a random GUID that you can generate by:
+    - Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
+    - Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
+  - **\<INSECURE_SKIP_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
+
+:::note
+Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
 :::
 
-* `<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
-* `<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
+- `<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
+- `<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
 
 ```bash
 "splunk://<SPLUNK_ENDPOINT_URL>?channel=<SPLUNK_CHANNEL_ID>&insecure-skip-verify=<INSECURE_SKIP_VERIFY>&sourcetype=<SOURCE_TYPE>&header_Authorization=<SPLUNK_AUTH_TOKEN>"
 ```
 
-* **dataset** - The category of logs you want to receive. Refer to [Log fields](/logs/reference/log-fields/) for the full list of supported datasets.
+- **dataset** - The category of logs you want to receive. Refer to [Log fields](/logs/reference/log-fields/) for the full list of supported datasets.
 
-* **output\_options** (optional) - To configure fields, sample rate, and timestamp format, refer to [Log Output Options](/logs/reference/log-output-options/). For timestamp, Cloudflare recommends using `timestamps=rfc3339`.
+- **output_options** (optional) - To configure fields, sample rate, and timestamp format, refer to [Log Output Options](/logs/reference/log-output-options/). For timestamp, Cloudflare recommends using `timestamps=rfc3339`.
 
 Example request using cURL:
 
@@ -185,8 +181,6 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
 2. Select **Create rule** and enter a descriptive name for it (for example, `Splunk`).
 3. Under **If incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input:
 
-
-
 | Field            | Operator   | Value                                                                 |
 | ---------------- | ---------- | --------------------------------------------------------------------- |
 | Request Method   | `equals`   | `POST`                                                                |
@@ -196,21 +190,18 @@ If your logpush destination hostname is proxied through Cloudflare, and you have
 | AS Num           | `equals`   | `132892`                                                              |
 | User Agent       | `equals`   | `Go-http-client/2.0`                                                  |
 
-
-
 4. After inputting the values as shown in the table, you should have an Expression Preview with the values you added for your specific rule. The example below reflects the hostname `splunk.cf-analytics.com`.
 
 ```txt
-(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.geoip.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0")
+(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.src.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0")
 ```
 
-5. Under the **Then** > **Choose an action** dropdown, select *Skip*.
-6. Under **WAF components to skip**, select *All managed rules*.
+5. Under the **Then** > **Choose an action** dropdown, select _Skip_.
+6. Under **WAF components to skip**, select _All managed rules_.
 7. Select **Deploy**.
 
 The WAF should now ignore requests made to Splunk HEC by Cloudflare.
 
-:::note[Note]
-
-To analyze and visualize Cloudflare Logs using the Cloudflare App for Splunk, follow the steps in the [Splunk Analytics integration page](/analytics/analytics-integrations/splunk/). 
+:::note
+To analyze and visualize Cloudflare Logs using the Cloudflare App for Splunk, follow the steps in the [Splunk Analytics integration page](/analytics/analytics-integrations/splunk/).
 :::
diff --git a/src/content/docs/rules/cloud-connector/examples/send-eu-visitors-to-gcs.mdx b/src/content/docs/rules/cloud-connector/examples/send-eu-visitors-to-gcs.mdx
index 42f9530d7a36c5..82be8d29b07a6c 100644
--- a/src/content/docs/rules/cloud-connector/examples/send-eu-visitors-to-gcs.mdx
+++ b/src/content/docs/rules/cloud-connector/examples/send-eu-visitors-to-gcs.mdx
@@ -18,7 +18,7 @@ To route requests from visitors in the European Union to a Google Cloud Storage
 5. _(Optional)_ Use the [Rewrite URL](/rules/transform/url-rewrite/) feature of [Transform Rules](/rules/transform/) to adjust the URL structure. For example, you can [create a URL rewrite](/rules/transform/url-rewrite/create-dashboard/) that changes `/eu` to `/<BUCKET_NAME>` to match the URI path-style URL structure.
 6. Click **Next** and enter a descriptive name like "Route EU visitors to GCP" in Cloud Connector name.
 7. Under **If**, select **Custom filter expression** and enter the following expression:
-   `(ip.geoip.is_in_european_union)`<br />
+   `(ip.src.is_in_european_union)`<br />
    This expression targets traffic from European Union users.
 8. Select **Deploy** to activate the rule.
 
diff --git a/src/content/docs/rules/transform/examples/rewrite-welcome-for-countries.mdx b/src/content/docs/rules/transform/examples/rewrite-welcome-for-countries.mdx
index 61ca7826b26f60..d7871173e7c2a6 100644
--- a/src/content/docs/rules/transform/examples/rewrite-welcome-for-countries.mdx
+++ b/src/content/docs/rules/transform/examples/rewrite-welcome-for-countries.mdx
@@ -22,7 +22,7 @@ To have a welcome page in two languages, create two rewrite URL rules with a sta
 Text in **Expression Editor**:
 
 ```txt
-http.request.uri.path == "/welcome.html" && ip.geoip.country == "GB"
+http.request.uri.path == "/welcome.html" && ip.src.country == "GB"
 ```
 
 Text after **Path** > **Rewrite to...** > _Static_:
@@ -40,7 +40,7 @@ Text after **Path** > **Rewrite to...** > _Static_:
 Text in **Expression Editor**:
 
 ```txt
-http.request.uri.path == "/welcome.html" && ip.geoip.country == "PT"
+http.request.uri.path == "/welcome.html" && ip.src.country == "PT"
 ```
 
 Text after **Path** > **Rewrite to...** > _Static_:
diff --git a/src/content/docs/rules/url-forwarding/examples/redirect-country-subdomains.mdx b/src/content/docs/rules/url-forwarding/examples/redirect-country-subdomains.mdx
index db4375b2af2091..f0b0c1e4f5e0dd 100644
--- a/src/content/docs/rules/url-forwarding/examples/redirect-country-subdomains.mdx
+++ b/src/content/docs/rules/url-forwarding/examples/redirect-country-subdomains.mdx
@@ -22,12 +22,12 @@ This example single redirect for zone `example.com` will redirect United Kingdom
 **When incoming requests match**
 
 Using the Expression Editor:<br/>
-`(ip.geoip.country eq "GB" or ip.geoip.country eq "FR") and http.request.uri.path eq "/"`
+`(ip.src.country eq "GB" or ip.src.country eq "FR") and http.request.uri.path eq "/"`
 
 **Then**
 
 - **Type:** _Dynamic_
-- **Expression:** `lower(concat("https://", ip.geoip.country, ".example.com"))`
+- **Expression:** `lower(concat("https://", ip.src.country, ".example.com"))`
 - **Status code:** _301_
 
 </Example>
diff --git a/src/content/docs/rules/url-forwarding/single-redirects/create-api.mdx b/src/content/docs/rules/url-forwarding/single-redirects/create-api.mdx
index 256685b1e56f3a..1bcee6b7b0b3c6 100644
--- a/src/content/docs/rules/url-forwarding/single-redirects/create-api.mdx
+++ b/src/content/docs/rules/url-forwarding/single-redirects/create-api.mdx
@@ -38,13 +38,13 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets \
   "phase": "http_request_dynamic_redirect",
   "rules": [
     {
-      "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+      "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
       "description": "Redirect GB and FR users in home page to localized site.",
       "action": "redirect",
       "action_parameters": {
         "from_value": {
           "target_url": {
-            "expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+            "expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
           },
           "status_code": 307,
           "preserve_query_string": true
@@ -68,13 +68,13 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets \
 			{
 				"id": "235e557b92fd4e5e8753ee665a9ddd75",
 				"version": "1",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
 				"description": "Redirect GB and FR users in home page to localized site.",
 				"action": "redirect",
 				"action_parameters": {
 					"from_value": {
 						"target_url": {
-							"expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+							"expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
 						},
 						"status_code": 307,
 						"preserve_query_string": true
@@ -107,13 +107,13 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
   "phase": "http_request_dynamic_redirect",
   "rules": [
     {
-      "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+      "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
       "description": "Redirect GB and FR users in home page to localized site.",
       "action": "redirect",
       "action_parameters": {
         "from_value": {
           "target_url": {
-            "expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+            "expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
           },
           "status_code": 307,
           "preserve_query_string": true
@@ -155,13 +155,13 @@ https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id} \
 				"action_parameters": {
 					"from_value": {
 						"target_url": {
-							"expression": "lower(concat(\"https://\", ip.geoip.country, \".example.com\"))"
+							"expression": "lower(concat(\"https://\", ip.src.country, \".example.com\"))"
 						},
 						"status_code": 307,
 						"preserve_query_string": true
 					}
 				},
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and http.request.uri.path eq \"/\"",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and http.request.uri.path eq \"/\"",
 				"description": "Redirect GB and FR users in home page to localized site.",
 				"last_updated": "2022-10-03T15:38:51.658387Z",
 				"ref": "235e557b92fd4e5e8753ee665a9ddd75",
diff --git a/src/content/docs/ruleset-engine/custom-rulesets/add-rules-ruleset.mdx b/src/content/docs/ruleset-engine/custom-rulesets/add-rules-ruleset.mdx
index 48cb2bcca19ae1..67677abffbf788 100644
--- a/src/content/docs/ruleset-engine/custom-rulesets/add-rules-ruleset.mdx
+++ b/src/content/docs/ruleset-engine/custom-rulesets/add-rules-ruleset.mdx
@@ -32,7 +32,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{custom_rule
 --data '{
   "rules": [
     {
-      "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+      "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
       "action": "challenge",
       "description": "challenge GB and FR or based on IP Reputation"
     },
@@ -57,7 +57,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{custom_rule
 				"id": "<CUSTOM_RULE_ID_1>",
 				"version": "1",
 				"action": "challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score \u003e 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score \u003e 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2021-03-18T18:25:08.122758Z",
 				"ref": "<CUSTOM_RULE_REF_1>",
@@ -133,7 +133,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}
 				"id": "<CUSTOM_RULE_ID_1>",
 				"version": "1",
 				"action": "challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score \u003e 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score \u003e 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2021-03-18T18:25:08.122758Z",
 				"ref": "<CUSTOM_RULE_ID_1>",
diff --git a/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx b/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx
index 47e380c0d2fb4f..611eb68414bdf8 100644
--- a/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/expressions/edit-expressions.mdx
@@ -27,7 +27,7 @@ The Expression Builder allows you to visually create rule expressions by using d
 The **Expression Preview** displays the expression in text:
 
 ```sql
-(ip.geoip.country ne "GB")
+(ip.src.country ne "GB")
 ```
 
 The Expression Builder will [automatically escape](#escape-special-characters) the backslash (`\`) and double quote (`"`) special characters in string literals.
@@ -63,7 +63,7 @@ The following rule expression will match requests from any visitor who is not fr
 contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/"
 and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not
 http.request.uri.path contains "/wp-admin/theme-editor.php")) and
-ip.geoip.country ne "MY"
+ip.src.country ne "MY"
 ```
 
 Only the Expression Editor supports nested expressions such as the one above. If you create a rule with nested expressions in the Expression Editor and try to switch to the Expression Builder, a dialog will warn you that the expression is not supported in the builder. You will be prompted to **Discard changes** and switch to the Expression Builder or **Cancel** and continue working in the editor.
@@ -88,5 +88,5 @@ Filter parsing error (1:313): ((http.request.uri.path contains
 (http.request.uri.path contains "/wp-admin/" and not
 http.request.uri.path contains "/wp-admin/admin-ajax.php" and not
 http.request.uri.path contains "/wp-admin/theme-editor.php")) and
-ip.geoip.country ne "MY") ^ unrecognised input
+ip.src.country ne "MY") ^ unrecognised input
 ```
diff --git a/src/content/docs/ruleset-engine/rules-language/operators.mdx b/src/content/docs/ruleset-engine/rules-language/operators.mdx
index a37c10e26f8c46..95882247ee1e31 100644
--- a/src/content/docs/ruleset-engine/rules-language/operators.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/operators.mdx
@@ -415,7 +415,7 @@ You can nest expressions grouped by parentheses inside other groups to create ve
 (
  (http.host eq "api.example.com" and http.request.uri.path eq "/api/v2/auth") or
  (http.host matches "^(www|store|blog)\.example\.com" and http.request.uri.path contains "wp-login.php") or
- ip.geoip.country in {"CN" "TH" "US" "ID" "KR" "MY" "IT" "SG" "GB"} or ip.geoip.asnum in {12345 54321 11111}
+ ip.src.country in {"CN" "TH" "US" "ID" "KR" "MY" "IT" "SG" "GB"} or ip.src.asnum in {12345 54321 11111}
 ) and not ip.src in {11.22.33.0/24}
 ```
 
diff --git a/src/content/docs/ruleset-engine/rulesets-api/add-rule.mdx b/src/content/docs/ruleset-engine/rulesets-api/add-rule.mdx
index 0f35c748bac4c0..3967336ba648df 100644
--- a/src/content/docs/ruleset-engine/rulesets-api/add-rule.mdx
+++ b/src/content/docs/ruleset-engine/rulesets-api/add-rule.mdx
@@ -38,7 +38,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/
 --header "Content-Type: application/json" \
 --data '{
   "action": "js_challenge",
-  "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
   "description": "challenge GB and FR or based on IP Reputation"
 }'
 ```
@@ -65,7 +65,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/
 				"id": "<NEW_RULE_ID>",
 				"version": "1",
 				"action": "js_challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2021-06-22T12:35:58.144683Z",
 				"ref": "<NEW_RULE_REF>",
diff --git a/src/content/docs/ruleset-engine/rulesets-api/delete-rule.mdx b/src/content/docs/ruleset-engine/rulesets-api/delete-rule.mdx
index e3922e0ac07761..a955c66661241f 100644
--- a/src/content/docs/ruleset-engine/rulesets-api/delete-rule.mdx
+++ b/src/content/docs/ruleset-engine/rulesets-api/delete-rule.mdx
@@ -45,7 +45,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}
 				"id": "<RULE_ID_2>",
 				"version": "2",
 				"action": "js_challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2021-07-22T12:54:58.144683Z",
 				"ref": "<RULE_REF_2>",
diff --git a/src/content/docs/ruleset-engine/rulesets-api/update-rule.mdx b/src/content/docs/ruleset-engine/rulesets-api/update-rule.mdx
index 221ec6dca0d003..db76972422624d 100644
--- a/src/content/docs/ruleset-engine/rulesets-api/update-rule.mdx
+++ b/src/content/docs/ruleset-engine/rulesets-api/update-rule.mdx
@@ -35,7 +35,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}
 --header "Content-Type: application/json" \
 --data '{
   "action": "js_challenge",
-  "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
   "description": "challenge GB and FR or based on IP Reputation"
 }'
 ```
@@ -53,7 +53,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/rulesets/{ruleset_id}
 				"id": "<RULE_ID_1>",
 				"version": "2",
 				"action": "js_challenge",
-				"expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") or cf.threat_score > 0",
+				"expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") or cf.threat_score > 0",
 				"description": "challenge GB and FR or based on IP Reputation",
 				"last_updated": "2023-03-22T12:54:58.144683Z",
 				"ref": "<RULE_REF_1>",
diff --git a/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors.mdx b/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors.mdx
index d5c777e500b336..510be074971bff 100644
--- a/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors.mdx
+++ b/src/content/docs/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors.mdx
@@ -490,11 +490,11 @@ Make sure that the rewritten URI path is not empty and it starts with a `/` (sla
 
 For example, the following URI path rewrite expression is not valid:
 
-`concat(lower(ip.geoip.country), http.request.uri.path)`
+`concat(lower(ip.src.country), http.request.uri.path)`
 
 To fix the expression above, add a `/` prefix:
 
-`concat("/", lower(ip.geoip.country), http.request.uri.path)`
+`concat("/", lower(ip.src.country), http.request.uri.path)`
 
 ---
 
diff --git a/src/content/docs/waf/custom-rules/create-api.mdx b/src/content/docs/waf/custom-rules/create-api.mdx
index b5585750864081..8013d0ac0ccf87 100644
--- a/src/content/docs/waf/custom-rules/create-api.mdx
+++ b/src/content/docs/waf/custom-rules/create-api.mdx
@@ -39,7 +39,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/
 --header "Content-Type: application/json" \
 --data '{
   "description": "My custom rule",
-  "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and cf.threat_score > 10",
+  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and cf.threat_score > 10",
   "action": "challenge"
 }'
 ```
@@ -58,7 +58,7 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/
 --header "Content-Type: application/json" \
 --data '{
   "description": "My custom rule with plain text response",
-  "expression": "(ip.geoip.country eq \"GB\" or ip.geoip.country eq \"FR\") and cf.threat_score > 50",
+  "expression": "(ip.src.country eq \"GB\" or ip.src.country eq \"FR\") and cf.threat_score > 50",
   "action": "block",
   "action_parameters": {
     "response": {
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
index c09a06eb0a5166..164127a025db58 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
@@ -3,9 +3,9 @@ pcx_content_type: configuration
 title: Allow traffic from specific countries only
 ---
 
-This example blocks requests based on country code using the [`ip.geoip.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field, only allowing requests from two countries: United States and Mexico.
+This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field, only allowing requests from two countries: United States and Mexico.
 
-- **Expression**: `(not ip.geoip.country in {"US" "MX"})`
+- **Expression**: `(not ip.src.country in {"US" "MX"})`
 - **Action**: _Block_
 
 ## Other resources
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
index 6e148833ccd160..d02d6026b6cc25 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
@@ -10,7 +10,7 @@ This example challenges requests from a list of countries, but allows traffic fr
 
 The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfclientbot) field to determine if the request originated from a known good bot or crawler.
 
-- **Expression**: `(ip.geoip.country in {"US" "MX"} and not cf.client.bot)`
+- **Expression**: `(ip.src.country in {"US" "MX"} and not cf.client.bot)`
 - **Action**: _Managed Challenge_
 
 ## Other resources
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx b/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx
index 69076aec337393..7851d205a0de1d 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-ip-reputation.mdx
@@ -9,5 +9,5 @@ import { GlossaryDefinition } from "~/components";
 
 This example blocks requests based on country code ([ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format), from IP addresses that score greater than 0. This is equivalent to setting the Security Level in **Security** > **Settings** to _High_. For more information, refer to [Security Level](/waf/tools/security-level/).
 
-- **Expression**: `(ip.geoip.country in {"CN" "TW" "US" "GB"} and cf.threat_score gt 0)`
+- **Expression**: `(ip.src.country in {"CN" "TW" "US" "GB"} and cf.threat_score gt 0)`
 - **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
index f4ed5fbc1ca23d..c086ffb10947a9 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
@@ -3,9 +3,9 @@ pcx_content_type: configuration
 title: Block traffic from specific countries
 ---
 
-This example blocks requests based on country code using the [`ip.geoip.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field.
+This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field.
 
-- **Expression**: `(ip.geoip.country in {"KN" "SY"})`
+- **Expression**: `(ip.src.country in {"KN" "SY"})`
 - **Action**: _Block_
 
 ## Other resources
diff --git a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
index e80a31b928b3de..e7b2bc70520c1e 100644
--- a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
@@ -22,12 +22,12 @@ If a customer or partner is large enough, you could set up a custom rule based o
 
 This example uses:
 
-- The [`ip.geoip.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
+- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
 - The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) field to ensure partner traffic does not come from bots.
 
 Example rule:
 
-- **Expression**: `(ip.geoip.asnum eq 64496 and cf.bot_management.score gt 30)`
+- **Expression**: `(ip.src.asnum eq 64496 and cf.bot_management.score gt 30)`
 - **Action**: _Skip:_
   - _All remaining custom rules_
 
@@ -39,12 +39,12 @@ Access to [Bot Management](/bots/plans/bm-subscription/) requires a Cloudflare E
 
 This example uses:
 
-- The [`ip.geoip.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
+- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
 - The [`cf.threat_score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfthreat_score) dynamic field to ensure requests are not high-risk traffic.
 
 If a request meets these criteria, your custom rule skips [User Agent Blocking](/waf/tools/user-agent-blocking/) rules.
 
-- **Expression**: `(ip.geoip.asnum eq 64496 and cf.threat_score lt 14)`
+- **Expression**: `(ip.src.asnum eq 64496 and cf.threat_score lt 14)`
 - **Action**: _Skip:_
   - _User Agent Blocking_
 
diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
index 9a4f63029f46bf..5d3a82a8d8f57a 100644
--- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
@@ -46,8 +46,8 @@ Use one or more of the following characteristics:
 | **Query value of** (enter parameter name)                   | `http.request.uri.args["<query_param_name>"]`                                                                             | [Missing field versus empty value](#missing-field-versus-empty-value)                                                                                                                                                                                    |
 | **Host**                                                    | `http.host`                                                                                                               |
 | **Path**                                                    | `http.request.uri.path`                                                                                                   |
-| **AS Num**                                                  | `ip.geoip.asnum`                                                                                                          |
-| **Country**                                                 | `ip.geoip.country`                                                                                                        |
+| **AS Num**                                                  | `ip.src.asnum`                                                                                                            |
+| **Country**                                                 | `ip.src.country`                                                                                                          |
 | **JA3 Fingerprint**                                         | `cf.bot_management.ja3_hash`                                                                                              |
 | **JA4**                                                     | `cf.bot_management.ja4`                                                                                                   |
 | **JSON string value of** (enter key)                        | `lookup_json_string(http.request.body.raw, "<key>")`                                                                      | [Missing field versus empty value](#missing-field-versus-empty-value) and [`lookup_json_string()` function reference](/ruleset-engine/rules-language/functions/#lookup_json_string)                                                                      |
diff --git a/src/content/docs/waf/rate-limiting-rules/use-cases.mdx b/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
index ca19c06624b16d..ade2f71246cca0 100644
--- a/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/use-cases.mdx
@@ -6,10 +6,9 @@ sidebar:
 head:
   - tag: title
     content: Rate limiting rule examples
-
 ---
 
-import { Example } from "~/components"
+import { Example } from "~/components";
 
 The examples below include sample rate limiting rule configurations.
 
@@ -20,12 +19,12 @@ The following rule performs rate limiting on incoming requests from the US addre
 <Example>
 
 Expression:<br />
-`(http.request.uri.path eq "/login" and ip.geoip.country eq "US" and ip.src ne 192.0.0.1)`
+`(http.request.uri.path eq "/login" and ip.src.country eq "US" and ip.src ne 192.0.0.1)`
 
 Rule characteristics:
 
-* *Data center ID* (included by default when creating the rule in the dashboard)
-* *IP Address*
+- _Data center ID_ (included by default when creating the rule in the dashboard)
+- _IP Address_
 
 </Example>
 
@@ -40,9 +39,9 @@ Expression:<br />
 
 Rule characteristics:
 
-* *Data center ID* (included by default when creating the rule in the dashboard)
-* *IP Address*
-* *HTTP Header* > `x-api-key`
+- _Data center ID_ (included by default when creating the rule in the dashboard)
+- _IP Address_
+- _HTTP Header_ > `x-api-key`
 
 </Example>
 
@@ -57,8 +56,8 @@ Expression:<br />
 
 Rule characteristics:
 
-* *Data center ID* (included by default when creating the rule in the dashboard)
-* *IP Address*
-* *HTTP Header* > `user-agent`
+- _Data center ID_ (included by default when creating the rule in the dashboard)
+- _IP Address_
+- _HTTP Header_ > `user-agent`
 
 </Example>
diff --git a/src/content/docs/waf/troubleshooting/faq.mdx b/src/content/docs/waf/troubleshooting/faq.mdx
index a851bbb9bef397..36a514e5a18d17 100644
--- a/src/content/docs/waf/troubleshooting/faq.mdx
+++ b/src/content/docs/waf/troubleshooting/faq.mdx
@@ -137,7 +137,7 @@ Block Amazon Web Services (AWS) and Google Cloud Platform (GCP) because of large
 
 - Basic rule, no exclusion:
 
-  - **Expression**: `(ip.geoip.asnum in {16509 15169})`
+  - **Expression**: `(ip.src.asnum in {16509 15169})`
   - **Action**: Block (or a challenge action)
 
 - Rule that excludes IP addresses from being blocked/challenged:
diff --git a/src/content/partials/rules/transform/header-modification-fields.mdx b/src/content/partials/rules/transform/header-modification-fields.mdx
index 4c7fa27e7de264..a65f6dc490d559 100644
--- a/src/content/partials/rules/transform/header-modification-fields.mdx
+++ b/src/content/partials/rules/transform/header-modification-fields.mdx
@@ -31,8 +31,13 @@
 - `ip.src`
 - `ip.src.lat`
 - `ip.src.lon`
+- `ip.src.asnum`
 - `ip.src.city`
-- `ip.geoip.*`
+- `ip.src.country`
+- `ip.src.continent`
+- `ip.src.is_in_european_union`
+- `ip.src.subdivision_1_iso_code`
+- `ip.src.subdivision_2_iso_code`
 - `ssl`
 
 Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
diff --git a/src/content/partials/rules/transform/transform-phase-fields.mdx b/src/content/partials/rules/transform/transform-phase-fields.mdx
index 6311866de58573..146cbb3a5d1f0a 100644
--- a/src/content/partials/rules/transform/transform-phase-fields.mdx
+++ b/src/content/partials/rules/transform/transform-phase-fields.mdx
@@ -30,8 +30,13 @@
 - `ip.src`
 - `ip.src.lat`
 - `ip.src.lon`
+- `ip.src.asnum`
 - `ip.src.city`
-- `ip.geoip.*`
+- `ip.src.country`
+- `ip.src.continent`
+- `ip.src.is_in_european_union`
+- `ip.src.subdivision_1_iso_code`
+- `ip.src.subdivision_2_iso_code`
 - `ssl`
 
 Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.