Splunk Updating the GeoIP Database

In the “old days” we had to install the Google Maps App for Splunk to get IP geolocation lookups. Splunk added the built in iplocation command in v6. The maxmind free database is used by both the Maps app and Splunk natively.

It is very convenient and fun to make searches like:

tag=authentication action=failure | stats count values(user) by src_ip | iplocation ip AS src_ip

The issue we run into is that IP information changes often. Spunk does not provide any automatic direct update for the database. You only seem to get a new copy when you install a version release (e.g. upgrading v6 to v6.1.2). The documentation does not even detail where the database is located within Splunk. Lastly, you might have some good reason for not upgrading a release the moment it comes out just so you can have more current ip location information. You might not want to risk breaking something in your deployment until you can test it.

Here is how you can replace the database manually. You can use the free one that Maxmind updates monthly or you might pay for the commercial copy.

  1. Download the current database from http://dev.maxmind.com/geoip/geoip2/geolite2/ You will want the city binary gzipped version.
  2. Copy it to your Splunk search head server.
  3. Expand the gizipped file to get the file GeoLite2-City.mmdb
  4. Overwrite the copy in $SPLUNK_HOME/share/

That is it. You have updated the existing copy with the currently available one. You should update it monthly or after you patch Splunk as it too will overwrite the copy in that location.