http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Iplocation describes how to obtain updated IP location data. I have set a up a process to update /opt/splunk/share/GeoLite2-City.mmdb with the latest every month.
But then on a restart, we get messages complaining about this change:
11-21-2018 06:07:40.843 +0000 WARN InstalledFilesHashChecker - An installed file="/opt/splunk/share/GeoLite2-City.mmdb" did not pass hash-checking due to reason="content mismatch"
I tried updating the checksum in splunk-6.5.3-36937ad027d4-linux-2.6-x86_64-manifest to match the new file - but to no avail. How do I let Splunk know that the new copy of GeoLite2-City.mmdb is OK?
Ours is a Search Head and Index cluster Enterprise edition - 6.5.3.
I might have been too smart for my own good. I made a copy of splunk-6.5.3-36937ad027d4-linux-2.6-x86_64-manifest to splunk-6.5.3-36937ad027d4-linux-2.6-x86_64-manifest-20181121. It looks like this was getting checked as well.
After removing it (or rather moving elsewhere) and restarting I am yet to see another complaint. Possibly just looking too early.