All Apps and Add-ons
Highlighted

How to get IP geographical information for MAXMIND database?

New Member

Hiii guys

i have a problem with maxmind application
when i use this query:
host="ids"|lookup geoip clientip as "Source Address"|table "Source Address" client_city
i am getting following error

"Script for lookup table 'geoip' returned error code 1. Results may be incorrect."

I removed the lookup field, but now I am getting error "Unknown search command 'geoip'"
before using lookup we have to create anything for that query..

i am new to splunk pls help me..

thanks in advance..

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

New Member

error:
Script for lookup table 'geoip' returned error code 1. Results may be incorrect

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

SplunkTrust
SplunkTrust

As suggested in http://answers.splunk.com/answers/147645/why-am-i-getting-all-public-ip-addresses-as-private-using-m... you should consider using the Splunk 6 built-in command iplocation for resolving IP addresses to geoinformation. See http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/iplocation for reference.

Highlighted

Re: How to get IP geographical information for MAXMIND database?

Contributor

use
index=xxx| iplocation src_ip | search xxx

All the best

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

New Member

iplocation is for splunk database ..
but i need it in maxmind database

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

SplunkTrust
SplunkTrust

You can use a MaxMind DB with Splunk's iplocation command.

http://blogs.splunk.com/2014/07/22/updating-the-iplocation-db/

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

New Member

i have a concern, is maxmind db is same as splunk db for country and city information

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

Contributor

maxmind db is same as splunk db

i cant say yes,
maxmind db get updated often but
splunk db uses maxmind db.

but i hope it will meet ur requirement.

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

New Member

if i want use maxmind db for my Source address.
i think i have to create lookup for that field. then only lookup geoip command will work? is it correct or is there any way to sort it out....

0 Karma
Highlighted

Re: How to get IP geographical information for MAXMIND database?

SplunkTrust
SplunkTrust

The regular iplocation command will output city and country fields as well. Just update the DB to whatever MaxMind DB you need as described in the Splunk Blog post I linked to earlier.