On using iplocation, Splunk returns incorrect coordinates for an IP, and displays location incorrectly on map with geostats.
For IP 52.43.227.70, it returns coordinates 39.56450, -75.59700.
Whereas actual coordinates for IP address 52.43.227.70 using infosnipper.net (or any other online APIs for that matter) are 45.8696, -119.688, and location is in Oregon region.
Has anyone seen this issue?
Hi rakes568!
Which version of Splunk are you using?
Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/
I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.
My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.
The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html
Hi rakes568!
Which version of Splunk are you using?
Splunk updates the db used when doing iplocation each release, which can be found in $SPLUNK_HOME/share/
I am running 6.6.1 and I am receiving the correct information when comparing to online services you mentioned.
My guess is you simply have an older version of Splunk, and thus, an older copy of the db, and seeing how this is Amazon ip space, it is not surprising it may change.
The good news is, since 6.1 you can update the db manually if you need to!! Check out this blog on the topic!
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html
To add some additional specificity ... iplocation services are provided by a variety of vendors who collect their data in their own unique way. There is no single, universally accurate that "the internet" ties IP addresses to physical locations. Splunk, for their part, use the Maxmind Geolite2 databases. ( https://dev.maxmind.com/geoip/geoip2/geolite2/ ) Geolite2 is great because it is free. Geolite2 is terrible because it has a lower update frequency, and lower accuracy overall.
As Matty has mentioned, you can update Splunk's Geolite2 databases relatively easily, or you can accept that they will be updated each time you update Splunk itself.
If iplocation data is very important to you, I would suggest subscribing to Maxmind's Geoip2 database feed service. These feeds should be available in a format compatible with Splunk, and will be updated more frequently and more accurate overall. But, it is a separate subscription above and beyond your Splunk purchase. See https://www.maxmind.com/en/geoip2-city
And example code to automate updating the DB
https://github.com/georgestarcher/TA-geoip
+1
with the points Duane makes. IMO iplocation is a "grain of salt" data point, but the paid services should allow you to be as accurate as you can be with this kind of data.
Thanks. Works perfectly after updating Splunk.