Is it ok to blacklist the .dat files included in t...

jfreund · ‎08-12-2014

They're quite huge (totalling over 70MB) and I've been looking into reducing our knowledge bundle size. From the app description the app's processing is performed on the search heads so I am guessing the files aren't needed on the indexers, so I'm wondering if it's ok to blacklist this app from being included in the knowledge bundle.

myron_davis · ‎10-01-2014

I don't ship out the maxmind database via search bundles.

I use the system maxmind database; if you run debian and install the package geoip-database-contrib; each machine that has that package will be kept auto-up-to-date and if you modify each python script to point to the system maxmind database there is no need to worry about blacklists and the search bundle getting too large.

for example:
asn.py
DB_PATH = os.path.join('/usr','share','GeoIP','GeoIPASNum.dat')

Done; never worry about large search bundles or updated maxmind databases again!,What I've done is edit the lookup script to point to the system maxmind database.

somesoni2 · ‎08-12-2014

I guess that will only be required where searches are executed, e.g. Search Head and Job Servers (if you have dedicated instances for jobs/saved searches/alerts), So it should be OK to exclude them from Indexer instance package.

Is it ok to blacklist the .dat files included in the MAXMIND app?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?