Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Best Splunk IP geolocation and Internet route ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jankowsr
Path Finder
01-18-2017
04:08 AM
I'm looking for the best Splunk IP geolocation and IRR lookup utility (doesn't have to be necessarily free and doesn't have to be one tool).
Ideally it should provide the following info: country code, country name, city, latitude, longitude, ASN number, ASN org name, BGP network prefix, prefix name from the route registry
What I have found so far:
- Splunk builtin Iplocation https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Iplocation
- Main issues: No route registry information, no BGP data
- geoip from from Google Maps https://splunkbase.splunk.com/app/368/
- Main issues: obsolete, no route registry information
- Geo ASN https://splunkbase.splunk.com/app/576/
- Main issues: obsolete, no country code
I guess most of that job should do simple script using free MaxMind database. I'm somehow surprised I can't find anything like that but I could have overlooked something obvious.
Any other suggestions with regards to up to date tools?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jankowsr
Path Finder
02-10-2017
02:44 PM
I haven't found anything that exactly suits my needs but I've found acceptable for me compromise. Instead of using geoip from Google Maps and Geo ASN, which are slow and obsolete I use the following combination:
- for Country/City/Region/latitude/longitude I use Splunk builtin iplocation; specify lang=code to get country codes instead of country names
- for BGP prefix and ASN I've created CIDR type lookup from the bgp table available on the NANOG looking glass server http://lg01.infra.ring.nlnog.net/table.txt . I also use max_matches = 1 and make sure the most specific prefix matches https://answers.splunk.com/answers/559239/cidr-type-lookup-and-matching-the-most-specific-pr.html
- for ASN description (organisation name) I use simple CSV string lookup from the Internet route registry. Specifically in my case I use one of the commercial databases but http://www.caida.org/data/as-organizations/ provids more or less the same data for free
As a result query is few times faster in comparision to geo ASN and goip python lookups and the data is much more up to date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jankowsr
Path Finder
02-10-2017
02:44 PM
I haven't found anything that exactly suits my needs but I've found acceptable for me compromise. Instead of using geoip from Google Maps and Geo ASN, which are slow and obsolete I use the following combination:
- for Country/City/Region/latitude/longitude I use Splunk builtin iplocation; specify lang=code to get country codes instead of country names
- for BGP prefix and ASN I've created CIDR type lookup from the bgp table available on the NANOG looking glass server http://lg01.infra.ring.nlnog.net/table.txt . I also use max_matches = 1 and make sure the most specific prefix matches https://answers.splunk.com/answers/559239/cidr-type-lookup-and-matching-the-most-specific-pr.html
- for ASN description (organisation name) I use simple CSV string lookup from the Internet route registry. Specifically in my case I use one of the commercial databases but http://www.caida.org/data/as-organizations/ provids more or less the same data for free
As a result query is few times faster in comparision to geo ASN and goip python lookups and the data is much more up to date.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaraneta_splunk
Splunk Employee
02-10-2017
09:28 PM
Hi @jankowsr - Glad you were able to find a workaround for your question. If you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
