Re: How to replace Geo Location Database

renebrutschin · ‎12-18-2013

Does anyone know on how to replace the included GeoLite Database with a commercial version of GeoIP Country from MAXMIND? After replacing the database files, IP location lookup does not work anymore ...

Any ideas?

Regards,
Rene

jsie_splunk · ‎12-18-2013

Hi there,

I'm assuming you're referring to the Maxmind app located here http://apps.splunk.com/app/291/. As it is currently written, it specifically requires a GeoIP City type of database. Using a GeoIP Country type would require some modification of the custom search command implementation.

If you're okay using the City type, then you need to replace the Lite version at

$SPLUNK_HOME/etc/apps/MAXMIND/bin/GeoLiteCity.dat

with the commercial one. Be sure to maintain the same name "GeoLiteCity.dat" as it's coded within the python script. Alternatively, you could modify the python script

$SPLUNK_HOME/etc/apps/MAXMIND/bin/geoip.py

and replace the file name with your commercial one.

Change:
DB_PATH=('GeoLiteCity.dat')

To:
DB_PATH=('YOURFILENAME.dat')

Regards and good luck.

renebrutschin · ‎12-23-2013

Thanks, as we only need country information and Geo IP City is much more expensive then Geo IP Country we will have to customize the custom search.

How to replace Geo Location Database

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation