- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Inconsistent Country returned by iplocation lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inconsistent Country returned by iplocation lookup
I recently deployed a new iplocation MMDB file using the cool method provided by Erik Horton here:
blog.hortonew.com/splunk-automatically-update-geoip-database-across-environment
However, I've noticed that sometimes, when I perform a lookup, I'll get different country results for the same IP address even within the same query. Specifically, I'm doing lookups against the IP addrs in my Okta logs, and it (mostly) comes up with Canada for the IP,
sourcetype="okta:im" action=success "action.categories{}"="Sign-in Success" targets{}.login=userid@domain.com
| iplocation src_ip
| eval Country=if(Country="","N/A",Country)| table _time, targets{}.login, src_ip, Country, City, Region
| sort _time
The result is:
_time,targets{}.login,src_ip,Country,City,Region
2018-02-20T18:56:29.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-21T08:50:41.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-22T11:33:28.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-23T09:13:32.000-0500,user@domain.com,38.21.25.x,United States,,
2018-02-24T23:54:53.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-25T00:18:17.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-25T00:24:04.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-25T22:01:21.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
Particularly unusual is that it's always the same time entry that comes up as United States, while the rest come up as Canada.
Anyone know why this might be, or similar experience/solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to close this off since it's been resolved for a while... The issue was a typo in the path for the new mmdb file on the cluster peers. As a result, the peers were still using the mmdb that was in place before using the deployment server method and the first were not in sync. That @starcher for pointing me in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using search or index clustering?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good question. I just made sure that the Cluster Master, Cluster Peers, and Search Head all have the updated MMDB file downloaded and in place. Any ideas what else might be the issue? Is there any way to validate which MMDB file is being used - just to make sure the limits.conf is taking effect from an app directory instead of etc/system/local?
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
