Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

storing geoIP data

awurster
Contributor
‎12-03-2014 04:16 PM

looking for advice on how to best save location and other data enrichment attributes (specifically in 6.x and forward compatibility). what's the best way to store / cache enrichment data such as GeoIP?

saved searches? data models? streamstats? collect?

we are looking to do SIEM type lookups against blacklists, geoIP, etc but would like to cache the data within splunk or perhaps even externally in a data store for future reference.

how are other folks doing this?

0 Karma
Reply

davidpaper
Contributor
‎03-27-2016 07:58 PM

Better late than never ...

So there are a couple of options to store GeoIP data.

1) If you have customer GeoIP data, create your own GeoIP DB. https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/ is a godo start.

2) If you don't want to do #1, or you want to use multiple GeoIP DBs in Splunk concurrently (which we don't currently support), leave the one that comes w/ Splunk in place, and create a lookup table with your GeoIP data in it. If you have multiple GeoIP sources, use multiple lookups, named appropriately.

3) kvstore. Now that kvstore can can be replicated to the indexers (6.3+), you could create a GeoIP collection in the kvstore, one collection per GeoIP DB to reference, and then call it/them when you want to. kvstore will likely scale better as its mongodb behind the scenes than plain text lookups.

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...