https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547609#M5570 <P>Yeah, just a couple things:</P><P>&nbsp;</P><UL><LI>The limits.conf will have to be different between the SHs and the Indexers since the indexers will have the app with limits.conf in ../etc/slave-apps while the search head will have it in .../etc/apps (assuming you dont have a search head cluster)</LI><LI>Also make sure you remove/rename the limits.conf file in /opt/splunk/etc/system/local if present.</LI><LI>You can also include a script in your app you deploy to auto-update the DB on your indexers. You may have to set up a cron to run it though.&nbsp;</LI></UL><P>Hope that helped!</P> Mon, 12 Apr 2021 12:57:23 GMT 96nick 2021-04-12T12:57:23Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547178#M5552 <P>we are using&nbsp;iplocation command&nbsp;</P><P>i see that the&nbsp;GeoLite2-City.mmdb file is since 2019&nbsp;</P><P>[splunk@ilissplsh01 bin]$ ll /opt/splunk/share/GeoLite2-City.mmdb<BR />-r--r--r-- 1 splunk splunk 60695934 Dec 18 2019 /opt/splunk/share/GeoLite2-City.mmdb<BR />[splunk@ilissplsh01 bin]$</P><P>&nbsp;</P><P>I have downloaded the file from&nbsp;<A href="https://www.maxmind.com/en/accounts/532070/geoip/downloads" target="_blank" rel="noopener">https://www.maxmind.com/en/accounts/532070/geoip/downloads</A></P><P>&nbsp;</P><P>also I see that there is&nbsp;<SPAN>Geolocation Lookup for Splunk&nbsp;</SPAN>APP (<A href="https://splunkbase.splunk.com/app/4102/#/overview" target="_blank" rel="noopener">https://splunkbase.splunk.com/app/4102/#/overview</A>) to allow&nbsp;iplocation&nbsp;</P><P>&nbsp;</P><P>what is the recommended way to work with the command&nbsp; ?&nbsp;&nbsp;</P><P>thanks&nbsp;</P> Thu, 08 Apr 2021 12:11:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547178#M5552 rayar 2021-04-08T12:11:24Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547186#M5553 <P>If you're talking about just updating the file, you're on the right track.&nbsp;Do you have a distributed environment or a single instance?</P><P>&nbsp;</P><P>Single Instance:</P><P>You can download the '<A href="https://splunkbase.splunk.com/app/5482/" target="_self">Auto Update Maxmind Database</A>' app on Splunkbase. It creates a Splunk command that downloads the newest DB for you after you put in your license key. Works well enough if you have a single instance.</P><P>&nbsp;</P><P>Distributed Environment:</P><P>&nbsp;If you have indexers, search heads, etc. you will have to replace the mmdb file on your indexers as well. This is because <A href="https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation" target="_self">iplocation</A> is a distributable streaming command. The app I listed above won't do that, and it also doesn't easily support using a paid database from Maxmind if you choose to upgrade. In my environment I created an app that has a bash script, the database, and limits.conf. The bash script wgets the database (scheduled via cron), and limits.conf changes the location of the database to my app.&nbsp; You can view more information on that process&nbsp;<A href="https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db.html" target="_self">here in a Splunk Blog post.</A></P><P>&nbsp;</P><P>Hope that helped!</P> Thu, 08 Apr 2021 13:08:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547186#M5553 96nick 2021-04-08T13:08:31Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547206#M5554 <P>thanks a lot&nbsp;</P><P>we have a distributed env and we are using deployment server&nbsp;</P><P>can't I distribute the file using it&nbsp; ?</P> Thu, 08 Apr 2021 14:06:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547206#M5554 rayar 2021-04-08T14:06:53Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547220#M5559 <P>You can distribute the app with the deployer (the SH kind, not the deployment server that connects with your forwarders) if you have a search head cluster. If you only have 1 search head then you wouldn't have a deployer.&nbsp;</P><P>You'll have to set up a cron on the SHs manually (or by using a system management tool if you have one to set the cron) to pull down the database, something like:</P><P>&nbsp;</P><P># Gets the database from maxmind at 7am every Wednesday</P><P>0 7 * * * 3 /opt/splunk/.../&lt;your app&gt;/bin/getdatabase.sh&nbsp;</P><P>&nbsp;</P><P>Maxmind updates the database on Tuesday, so I would pull the database down on Wednesday since it's unknown exactly when on Tuesday they push an update.&nbsp;</P><P>Since you have indexers you'll have to replace those mmdb files as well. The same concept can be applied to the indexers (some script + cron).</P> Thu, 08 Apr 2021 15:08:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547220#M5559 96nick 2021-04-08T15:08:55Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547561#M5568 <P>I have installed the&nbsp;Auto Update MaxMind Database on the SH (<A href="https://splunkbase.splunk.com/app/5482/#/details" target="_blank">https://splunkbase.splunk.com/app/5482/#/details</A>)<BR /><BR /></P><P>the&nbsp;GeoLite2-City.mmdb file will be copied to deployment server and deployed to all indexers&nbsp;</P><P>also I will create limits.conf on both SH and indexers with the below&nbsp;</P><P>splunk@ilisspldepl01 local]$ cat limits.conf<BR />[iplocation]<BR />db_path = /opt/splunk/etc/slave-apps/AM_maxmind_indexers/local/GeoLite2-City.mmdb<BR />[splunk@ilisspldepl01 local]$</P><P>is it the right way or I better overwrite the /opt/splunk/share/GeoLite2-City.mmdb on the indexers and the SH ?&nbsp;<BR />&nbsp;</P> Mon, 12 Apr 2021 05:52:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547561#M5568 rayar 2021-04-12T05:52:13Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547609#M5570 <P>Yeah, just a couple things:</P><P>&nbsp;</P><UL><LI>The limits.conf will have to be different between the SHs and the Indexers since the indexers will have the app with limits.conf in ../etc/slave-apps while the search head will have it in .../etc/apps (assuming you dont have a search head cluster)</LI><LI>Also make sure you remove/rename the limits.conf file in /opt/splunk/etc/system/local if present.</LI><LI>You can also include a script in your app you deploy to auto-update the DB on your indexers. You may have to set up a cron to run it though.&nbsp;</LI></UL><P>Hope that helped!</P> Mon, 12 Apr 2021 12:57:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547609#M5570 96nick 2021-04-12T12:57:23Z https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547612#M5571 <P>The limits.conf are different on indexers and SH&nbsp;<BR /><BR /></P><P>we don't have&nbsp;/opt/splunk/etc/system/local/limits.conf&nbsp;</P><P>&nbsp;</P><P>the updated file will be copied with cron to the deployment server&nbsp;</P><P>&nbsp;</P><P>thanks a lot , will test it during the week&nbsp;</P> Mon, 12 Apr 2021 13:02:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/iplocation-command-usage/m-p/547612#M5571 rayar 2021-04-12T13:02:11Z