- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Best Splunk IP geolocation and Internet route ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm looking for the best Splunk IP geolocation and IRR lookup utility (doesn't have to be necessarily free and doesn't have to be one tool).
Ideally it should provide the following info: country code, country name, city, latitude, longitude, ASN number, ASN org name, BGP network prefix, prefix name from the route registry
What I have found so far:
- Splunk builtin Iplocation https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation
- Main issues: No route registry information, no BGP data
- geoip from from Google Maps https://splunkbase.splunk.com/app/368/
- Main issues: obsolete, no route registry information
- Geo ASN https://splunkbase.splunk.com/app/576/
- Main issues: obsolete, no country code
I guess most of that job should do simple script using free MaxMind database. I'm somehow surprised I can't find anything like that but I could have overlooked something obvious.
Any other suggestions with regards to up to date tools?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't found anything that exactly suits my needs but I've found acceptable for me compromise. Instead of using geoip from Google Maps and Geo ASN, which are slow and obsolete I use the following combination:
- for Country/City/Region/latitude/longitude I use Splunk builtin iplocation; specify lang=code to get country codes instead of country names
- for BGP prefix and ASN I've created CIDR type lookup from the bgp table available on the NANOG looking glass server http://lg01.infra.ring.nlnog.net/table.txt . I also use max_matches = 1 and make sure the most specific prefix matches https://answers.splunk.com/answers/559239/cidr-type-lookup-and-matching-the-most-specific-pr.html
- for ASN description (organisation name) I use simple CSV string lookup from the Internet route registry. Specifically in my case I use one of the commercial databases but http://www.caida.org/data/as-organizations/ provids more or less the same data for free
As a result query is few times faster in comparision to geo ASN and goip python lookups and the data is much more up to date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven't found anything that exactly suits my needs but I've found acceptable for me compromise. Instead of using geoip from Google Maps and Geo ASN, which are slow and obsolete I use the following combination:
- for Country/City/Region/latitude/longitude I use Splunk builtin iplocation; specify lang=code to get country codes instead of country names
- for BGP prefix and ASN I've created CIDR type lookup from the bgp table available on the NANOG looking glass server http://lg01.infra.ring.nlnog.net/table.txt . I also use max_matches = 1 and make sure the most specific prefix matches https://answers.splunk.com/answers/559239/cidr-type-lookup-and-matching-the-most-specific-pr.html
- for ASN description (organisation name) I use simple CSV string lookup from the Internet route registry. Specifically in my case I use one of the commercial databases but http://www.caida.org/data/as-organizations/ provids more or less the same data for free
As a result query is few times faster in comparision to geo ASN and goip python lookups and the data is much more up to date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jankowsr - Glad you were able to find a workaround for your question. If you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
