All Apps and Add-ons

How to get IP geographical information for MAXMIND database?

somu2014
New Member

Hiii guys

i have a problem with maxmind application
when i use this query:
host="ids"|lookup geoip clientip as "Source Address"|table "Source Address" client_city
i am getting following error

"Script for lookup table 'geoip' returned error code 1. Results may be incorrect."

I removed the lookup field, but now I am getting error "Unknown search command 'geoip'"
before using lookup we have to create anything for that query..

i am new to splunk pls help me..

thanks in advance..

0 Karma

wrangler2x
Motivator

Here is how you do that:

... | lookup geoip clientip AS IP | table client IP client

Where IP is the name of your IP address field in your search/index/sourcetype and clientip is a field name that is input to the geoip lookup (which means it has to be there. When you run the table command after the lookup is done there are a number of fields available to you. By doing client_* you get them all. If you want just certain of the fields, change the client_* to a list of the fields you want (i.e., client_city, client_region, client_country_code3, etc.).

0 Karma

neelamssantosh
Contributor

use
index=xxx| iplocation src_ip | search xxx

All the best

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The regular iplocation command will output city and country fields as well. Just update the DB to whatever MaxMind DB you need as described in the Splunk Blog post I linked to earlier.

somu2014
New Member

if i want use maxmind db for my Source address.
i think i have to create lookup for that field. then only lookup geoip command will work? is it correct or is there any way to sort it out....

0 Karma

neelamssantosh
Contributor

maxmind db is same as splunk db

i cant say yes,
maxmind db get updated often but
splunk db uses maxmind db.

but i hope it will meet ur requirement.

0 Karma

somu2014
New Member

i have a concern, is maxmind db is same as splunk db for country and city information

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can use a MaxMind DB with Splunk's iplocation command.

http://blogs.splunk.com/2014/07/22/updating-the-iplocation-db/

VatsalJagani
SplunkTrust
SplunkTrust

This App seems to be really useful for updating the latest mmdb file - https://splunkbase.splunk.com/app/5482/.

The App auto-updates the MaxMind database without going into the backend. It also allows you to run a search command on Splunk search to manually download and update the latest database. 

96nick
Communicator

Was just going to tackle a project to do this, thanks for linking!

0 Karma

somu2014
New Member

iplocation is for splunk database ..
but i need it in maxmind database

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

As suggested in http://answers.splunk.com/answers/147645/why-am-i-getting-all-public-ip-addresses-as-private-using-m... you should consider using the Splunk 6 built-in command iplocation for resolving IP addresses to geoinformation. See http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/iplocation for reference.

somu2014
New Member

error:
Script for lookup table 'geoip' returned error code 1. Results may be incorrect

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...