All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it ok to blacklist the .dat files included in the MAXMIND app?

jfreund
Explorer
‎08-12-2014 10:59 AM

They're quite huge (totalling over 70MB) and I've been looking into reducing our knowledge bundle size. From the app description the app's processing is performed on the search heads so I am guessing the files aren't needed on the indexers, so I'm wondering if it's ok to blacklist this app from being included in the knowledge bundle.

0 Karma
Reply

myron_davis
Path Finder
‎10-01-2014 12:45 PM

I don't ship out the maxmind database via search bundles.

I use the system maxmind database; if you run debian and install the package geoip-database-contrib; each machine that has that package will be kept auto-up-to-date and if you modify each python script to point to the system maxmind database there is no need to worry about blacklists and the search bundle getting too large.

for example:
asn.py
DB_PATH = os.path.join('/usr','share','GeoIP','GeoIPASNum.dat')

Done; never worry about large search bundles or updated maxmind databases again!,What I've done is edit the lookup script to point to the system maxmind database.

0 Karma
Reply

somesoni2
Revered Legend
‎08-12-2014 11:56 AM

I guess that will only be required where searches are executed, e.g. Search Head and Job Servers (if you have dedicated instances for jobs/saved searches/alerts), So it should be OK to exclude them from Indexer instance package.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...