All Apps and Add-ons

How often is the MaxMind GeoIP database updated in Splunk Cloud? Is there a way to update it manually?

mhenson
Engager

How often is the MaxMind GeoIP database updated in Cloud? If the answer is only when a new Splunk release is deployed to the Cloud, is there a way to manually update? The on premise process doesn't seem possible since the filesystem(s) are not accessible.

0 Karma
1 Solution

bohanlon_splunk
Splunk Employee
Splunk Employee

The Latest Support Stance (As of September 2019) is:

Fix: Splunk will NOT commit to version predictability on MaxMind DBs (MMDBs). MMDBs can and most likely will change in line with version upgrades as per the Cloud Maintenance Policy:
https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html

Workaround: If a customer requires version predictability, they may package the MMDB in a custom app. This app WILL be required to undergo vetting . If you wish to discuss or request this, please file a Support ticket.

View solution in original post

0 Karma

imrago
Contributor

If you are using MaxMind for GeoIP of NetFlow/sFlow/IPFIX, NetFlow Optimizer solution from NetFlow Logic (https://www.netflowlogic.com) has a cron setting to update it as often as you'd like. In addition, GeoIP enrichment is performed at the time when NetFlow record is processed, not at query time in Splunk.

0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee

The Latest Support Stance (As of September 2019) is:

Fix: Splunk will NOT commit to version predictability on MaxMind DBs (MMDBs). MMDBs can and most likely will change in line with version upgrades as per the Cloud Maintenance Policy:
https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html

Workaround: If a customer requires version predictability, they may package the MMDB in a custom app. This app WILL be required to undergo vetting . If you wish to discuss or request this, please file a Support ticket.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Switched the accepted answer to this one.

0 Karma

mdillon_splunk
Splunk Employee
Splunk Employee

Splunk documentation has recently been updated with the following:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation

If you are using Splunk Cloud, updates to the MMDB file are provided ONLY via Splunk version upgrades. If you wish to discuss or request this, please file a Support ticket.

sloshburch
Splunk Employee
Splunk Employee

The cloud team has expressed that this is only updated with Splunk upgrades (although they are exploring changing that as per your feature request).

Alternatively, you might be able to submit a Cloud request to have them manually update it with a newer version just like you would for other back-end filesystem requests. You'd likely need to upload the newer version (attach it to the request) and specify any associated config details (https://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command.html has a good explanation).

bohanlon_splunk
Splunk Employee
Splunk Employee

I downvoted this post because this answer was but is no longer valid.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

@mhenson, I see you've not marked this answer as accepted. I just updated it to reflect what we've learned as part of the feature request. Meanwhile, if you feel this is still not clear in answering, let us know any additional questions?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I also see there's a feature request with Cloud Operations for a regular-automated update.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...