All Apps and Add-ons

How often is the MaxMind GeoIP database updated in Splunk Cloud? Is there a way to update it manually?

mhenson
Engager

How often is the MaxMind GeoIP database updated in Cloud? If the answer is only when a new Splunk release is deployed to the Cloud, is there a way to manually update? The on premise process doesn't seem possible since the filesystem(s) are not accessible.

0 Karma
1 Solution

bohanlon_splunk
Splunk Employee
Splunk Employee

The Latest Support Stance (As of September 2019) is:

Fix: Splunk will NOT commit to version predictability on MaxMind DBs (MMDBs). MMDBs can and most likely will change in line with version upgrades as per the Cloud Maintenance Policy:
https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html

Workaround: If a customer requires version predictability, they may package the MMDB in a custom app. This app WILL be required to undergo vetting . If you wish to discuss or request this, please file a Support ticket.

View solution in original post

0 Karma

imrago
Contributor

If you are using MaxMind for GeoIP of NetFlow/sFlow/IPFIX, NetFlow Optimizer solution from NetFlow Logic (https://www.netflowlogic.com) has a cron setting to update it as often as you'd like. In addition, GeoIP enrichment is performed at the time when NetFlow record is processed, not at query time in Splunk.

0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee

The Latest Support Stance (As of September 2019) is:

Fix: Splunk will NOT commit to version predictability on MaxMind DBs (MMDBs). MMDBs can and most likely will change in line with version upgrades as per the Cloud Maintenance Policy:
https://www.splunk.com/en_us/legal/splunk-cloud-service-maintenance-policy.html

Workaround: If a customer requires version predictability, they may package the MMDB in a custom app. This app WILL be required to undergo vetting . If you wish to discuss or request this, please file a Support ticket.

0 Karma

sloshburch
Ultra Champion

Switched the accepted answer to this one.

0 Karma

mdillon_splunk
Splunk Employee
Splunk Employee

Splunk documentation has recently been updated with the following:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation

If you are using Splunk Cloud, updates to the MMDB file are provided ONLY via Splunk version upgrades. If you wish to discuss or request this, please file a Support ticket.

sloshburch
Ultra Champion

The cloud team has expressed that this is only updated with Splunk upgrades (although they are exploring changing that as per your feature request).

Alternatively, you might be able to submit a Cloud request to have them manually update it with a newer version just like you would for other back-end filesystem requests. You'd likely need to upload the newer version (attach it to the request) and specify any associated config details (https://answers.splunk.com/answers/123430/how-to-update-geoip-database-for-iplocation-command.html has a good explanation).

bohanlon_splunk
Splunk Employee
Splunk Employee

I downvoted this post because this answer was but is no longer valid.

0 Karma

sloshburch
Ultra Champion

@mhenson, I see you've not marked this answer as accepted. I just updated it to reflect what we've learned as part of the feature request. Meanwhile, if you feel this is still not clear in answering, let us know any additional questions?

0 Karma

sloshburch
Ultra Champion

I also see there's a feature request with Cloud Operations for a regular-automated update.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...