Updating the iplocation db

When Splunk added the new version of the iplocation command in v6.0, it added the ability to add location info without the need for internet concenttivity. We did this by shipping a custom version of the MaxMind DB in the 6.0.x release. However, because we used a Splunk specific version of the DB, you still had to wait for a new version of Splunk to get a new copy of the DB.

In 6.1 we added support for using the native MaxMind DB (.mmdb), allowing you to update the DB yourself at anytime! It looks like some of you have already figured this out (Go George go!), but I figured I would add some additional info about this new feature.

As George states, you can replace the GeoLite2-City.mmdb file under $SPLUNK_HOME/share/ with a copy of the paid version or with a monthly update of the free version, but there is another way! You can change the path to the MMDB file under the limits.conf file, so it becomes Splunk upgrade safe. From the limits.conf.spec file:

db_path =
* Location of GeoIP database in MMDB format
* If not set, defaults to database included with splunk

I download the the July 2014 update to test it out:

kbains:local kbains$ cat limits.conf
file_tracking_db_threshold_mb = 500
db_path = /Applications/splunk612/share/GeoLite2-City-201407.mmdb

kbains:share kbains$ ls -l GeoLite2-City-201407.mmdb
-rw-r--r-- 1 kbains SPLUNK\Domain Users 30300878 Jul 22 15:06 GeoLite2-City-201407.mmdb

And of course it worked as expected =)
Screen Shot 2014-07-22 at 4.32.27 PM

Happy Splunking!

Karandeep Bains

Posted by