i have a problem with maxmind application
when i use this query:
host="ids"|lookup geoip clientip as "Source Address"|table "Source Address" client_city
i am getting following error
"Script for lookup table 'geoip' returned error code 1. Results may be incorrect."
I removed the lookup field, but now I am getting error "Unknown search command 'geoip'"
before using lookup we have to create anything for that query..
i am new to splunk pls help me..
thanks in advance..
As suggested in http://answers.splunk.com/answers/147645/why-am-i-getting-all-public-ip-addresses-as-private-using-m... you should consider using the Splunk 6 built-in command
iplocation for resolving IP addresses to geoinformation. See http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/iplocation for reference.
maxmind db is same as splunk db
i cant say yes,
maxmind db get updated often but
splunk db uses maxmind db.
but i hope it will meet ur requirement.
if i want use maxmind db for my Source address.
i think i have to create lookup for that field. then only lookup geoip command will work? is it correct or is there any way to sort it out....
iplocation command will output city and country fields as well. Just update the DB to whatever MaxMind DB you need as described in the Splunk Blog post I linked to earlier.