All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Inconsistent Country returned by iplocation lookup

gordo32
Communicator
‎03-15-2018 02:12 PM

I recently deployed a new iplocation MMDB file using the cool method provided by Erik Horton here:
blog.hortonew.com/splunk-automatically-update-geoip-database-across-environment

However, I've noticed that sometimes, when I perform a lookup, I'll get different country results for the same IP address even within the same query. Specifically, I'm doing lookups against the IP addrs in my Okta logs, and it (mostly) comes up with Canada for the IP,


sourcetype="okta:im" action=success "action.categories{}"="Sign-in Success" targets{}.login=userid@domain.com
| iplocation src_ip
| eval Country=if(Country="","N/A",Country)| table _time, targets{}.login, src_ip, Country, City, Region
| sort _time

The result is:

_time,targets{}.login,src_ip,Country,City,Region
2018-02-20T18:56:29.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-21T08:50:41.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-22T11:33:28.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-23T09:13:32.000-0500,user@domain.com,38.21.25.x,United States,,
2018-02-24T23:54:53.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-25T00:18:17.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-25T00:24:04.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario
2018-02-25T22:01:21.000-0500,user@domain.com,38.21.25.x,Canada,Scarborough,Ontario

Particularly unusual is that it's always the same time entry that comes up as United States, while the rest come up as Canada.

Anyone know why this might be, or similar experience/solution?

0 Karma
Reply

gordo32
Communicator
‎03-27-2018 07:03 AM

Just to close this off since it's been resolved for a while... The issue was a typo in the path for the new mmdb file on the cluster peers. As a result, the peers were still using the mmdb that was in place before using the deployment server method and the first were not in sync. That @starcher for pointing me in the right direction.

0 Karma
Reply

starcher
Influencer
‎03-16-2018 12:36 AM

Are you using search or index clustering?

0 Karma
Reply

gordo32
Communicator
‎03-16-2018 12:45 PM

Good question. I just made sure that the Cluster Master, Cluster Peers, and Search Head all have the updated MMDB file downloaded and in place. Any ideas what else might be the issue? Is there any way to validate which MMDB file is being used - just to make sure the limits.conf is taking effect from an app directory instead of etc/system/local?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...