We have Splunk enterprise 6.2. We built splunk query that returns me all IP transacting with their country location and we are running it for last 60 minutes. Below is the query for same:
sourcetype="WebSphere:HTTPlog" |fields websphere_true_client_ip|dedup websphere_true_client_ip|table websphere_true_client_ip|iplocation websphere_true_client_ip|fields websphere_true_client_ip,Country|dedup websphere_true_client_ip,Country|table websphere_true_client_ip,Country
We noticed that some of the IP locations are not reported correctly. Below are example that shows up as US but are actually Australia.
IP Location Splunk Country Actual Country
18.104.22.168 United States AUS
22.214.171.124 United States AUS
126.96.36.199 United States AUS
188.8.131.52 United States AUS
It seems it does not have correct IP database OR IP database is not refreshed.
Generally speaking, the accuracy of the lookup is based on specific factors such as:
1. Structure your Splunk search query so that you 'dedup' BEFORE using 'iplocation'
2. Having an up-to-date MMDB file in Splunk
3. Whether or not the raw database (MaxMind's DataBase (mmdb), by default) is accurate based on its current content (even if you have the most current copy).
I have seen the same issue occur if you put dedup after iplocation. If your data and search structure permits, always ensure your
|dedup command preceeds
|iplocation in the search query. Too, you would then usually improve performance / reduce search-load by throwing less unique values for iplocation to process.
As ryanoconnor mentioned as well, keeping your maxmind db up-to-date is important. I typically download the new file the 1st Thursday of each month from maxmind.com. Maxmind usually begins updating their 'free' copy the 1st Tuesday of ea month. I often notice the new file is not ready until late Wednesday. Creating a simple scripted input in a new app, utilizing tools like wget/curl to regularly download the new file in your script and maybe set an interval by cron should help with maintenance here. Otherwise, I believe Splunk updates this file with each new maintenance release.
SPLUNK FILE LOCATION:
"$SPLUNK_HOME/share/GeoLite2-City.mmdb" (default location)
By default, Splunk includes the 'free' version of the mmdb file. You can even subscribe to Maxmind's precision service if super-high accuracy might be an operational requirement.
Where to get the latest mmdb: http://dev.maxmind.com/geoip/geoip2/geolite2/#Downloads
Sample download link: http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz
There are a few scripts out there available by now. I just deployed a custom script in my environment for ksh in Linux. Best of luck.
This likely has to do with the version of the IP Database that is being used. This database is updated with Maintenance releases of Splunk. I would recommend upgrading from 6.2 if you can.