Archive

MaxMind Database Update does not affect searches results

New Member

Hello,

I'm having an issue with maxming GeoLite database update.

Even I'm updating the database on Splunk the Country found for some IPs still be incorrect when using iplocation command.

What I did on Splunk:
Checked IPs showing Country mismatch are updated in the new version of the DB
Update GeoLite database on all search heads, indexers and deployment server
Restarted all Splunk infrastructure

Splunk version : Entreprise 6.3.2

Can you please help me figure why Splunk seems still using old database datas even it doesn't exists anymore?

Thanks in advance for your help.

0 Karma

New Member

Hi Starcher,

I've replaced the DB, there's no specific modification on the conf to point to another location.

I'm using the default $SPLUNK_HOME/share/ location for DB.

What I'm doing in update process:
- Rename previous version of the database to GeoLite2-City.mmdb.old
- Download new version and change the file rights to 644

Since it didn't work as usual, I performed a rolling-restart of search head cluster and a restrt of indexers.

So far, it still be inconclusive, the old datas are persistent.

Thanks a lot for your help.

0 Karma

SplunkTrust
SplunkTrust

Update on all search heads AND indexers involved which you mentioned.
So did you replace the DB or put it in another location and use conf to point at it?
http://www.georgestarcher.com/splunk-updating-the-geoip-database/

0 Karma