Solved: With Splunk Enterprise Security, I'm getting varyi...

crumblecat88 · ‎02-22-2019

Hi,

I'm getting varied results in Splunk when I investigate an IP address' location. Splunk might say "Netherlands", while multiple third-party resources might say "Estonia."

With no evidence to say one is right over the other — how frequently does Splunk update their geo cache?

Thanks

pkeenan87 · ‎02-22-2019

The iplocation command uses a local .mmdb file to do the lookups, which you can update yourself.

From http://dev.maxmind.com/geoip/geoip2/geolite2/, download the binary gzipped version of the GeoLite2 City database file.
Copy the file to the search head on your Splunk Enterprise instance.
Expand the GZ file.
Stop any real-time searches that are running
Copy the GeoLite2-City.mmdb file to the $SPLUNK_HOME/share/ directory to overwrite the file there.
Restart the real-time searches.

For reference: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Iplocation

View solution in original post

pkeenan87 · ‎02-22-2019

The iplocation command uses a local .mmdb file to do the lookups, which you can update yourself.

From http://dev.maxmind.com/geoip/geoip2/geolite2/, download the binary gzipped version of the GeoLite2 City database file.
Copy the file to the search head on your Splunk Enterprise instance.
Expand the GZ file.
Stop any real-time searches that are running
Copy the GeoLite2-City.mmdb file to the $SPLUNK_HOME/share/ directory to overwrite the file there.
Restart the real-time searches.

For reference: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Iplocation

With Splunk Enterprise Security, I'm getting varying IP geo-location results when comparing Splunk to third-party resources — how frequent are Splunk geo cache updates?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability