storing geoIP data

awurster — Thu, 04 Dec 2014 00:16:02 GMT

looking for advice on how to best save location and other data enrichment attributes (specifically in 6.x and forward compatibility). what's the best way to store / cache enrichment data such as GeoIP?

saved searches? data models? streamstats? collect?

we are looking to do SIEM type lookups against blacklists, geoIP, etc but would like to cache the data within splunk or perhaps even externally in a data store for future reference.

how are other folks doing this?

Re: storing geoIP data

davidpaper — Mon, 28 Mar 2016 02:58:36 GMT

Better late than never ...

So there are a couple of options to store GeoIP data.

1) If you have customer GeoIP data, create your own GeoIP DB. https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/ is a godo start.

2) If you don't want to do #1, or you want to use multiple GeoIP DBs in Splunk concurrently (which we don't currently support), leave the one that comes w/ Splunk in place, and create a lookup table with your GeoIP data in it. If you have multiple GeoIP sources, use multiple lookups, named appropriately.

3) kvstore. Now that kvstore can can be replicated to the indexers (6.3+), you could create a GeoIP collection in the kvstore, one collection per GeoIP DB to reference, and then call it/them when you want to. kvstore will likely scale better as its mongodb behind the scenes than plain text lookups.

topic storing geoIP data in Security

storing geoIP data

Re: storing geoIP data