All Apps and Add-ons

How often is the MaxMind GeoIP database updated in Splunk Cloud? Is there a way to update it manually?

Engager

How often is the MaxMind GeoIP database updated in Cloud? If the answer is only when a new Splunk release is deployed to the Cloud, is there a way to manually update? The on premise process doesn't seem possible since the filesystem(s) are not accessible.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The Latest Support Stance (As of September 2019) is:

Fix: Splunk will NOT commit to version predictability on MaxMind DBs (MMDBs). MMDBs can and most likely will change in line with version upgrades as per the Cloud Maintenance Policy:
https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html

Workaround: If a customer requires version predictability, they may package the MMDB in a custom app. This app WILL be required to undergo vetting . If you wish to discuss or request this, please file a Support ticket.

View solution in original post

0 Karma

Contributor

If you are using MaxMind for GeoIP of NetFlow/sFlow/IPFIX, NetFlow Optimizer solution from NetFlow Logic (https://www.netflowlogic.com) has a cron setting to update it as often as you'd like. In addition, GeoIP enrichment is performed at the time when NetFlow record is processed, not at query time in Splunk.

0 Karma

Splunk Employee
Splunk Employee

The Latest Support Stance (As of September 2019) is:

Fix: Splunk will NOT commit to version predictability on MaxMind DBs (MMDBs). MMDBs can and most likely will change in line with version upgrades as per the Cloud Maintenance Policy:
https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html

Workaround: If a customer requires version predictability, they may package the MMDB in a custom app. This app WILL be required to undergo vetting . If you wish to discuss or request this, please file a Support ticket.

View solution in original post

0 Karma

Ultra Champion

Switched the accepted answer to this one.

0 Karma

Splunk Employee
Splunk Employee

Splunk documentation has recently been updated with the following:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation

If you are using Splunk Cloud, updates to the MMDB file are provided ONLY via Splunk version upgrades. If you wish to discuss or request this, please file a Support ticket.

Ultra Champion

The cloud team has expressed that this is only updated with Splunk upgrades (although they are exploring changing that as per your feature request).

Alternatively, you might be able to submit a Cloud request to have them manually update it with a newer version just like you would for other back-end filesystem requests. You'd likely need to upload the newer version (attach it to the request) and specify any associated config details (https://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command.html has a good explanation).

Splunk Employee
Splunk Employee

I downvoted this post because this answer was but is no longer valid.

0 Karma

Ultra Champion

@mhenson, I see you've not marked this answer as accepted. I just updated it to reflect what we've learned as part of the feature request. Meanwhile, if you feel this is still not clear in answering, let us know any additional questions?

0 Karma

Ultra Champion

I also see there's a feature request with Cloud Operations for a regular-automated update.

0 Karma