I'm having an issue with maxming GeoLite database update.
Even I'm updating the database on Splunk the Country found for some IPs still be incorrect when using iplocation command.
What I did on Splunk:
Checked IPs showing Country mismatch are updated in the new version of the DB
Update GeoLite database on all search heads, indexers and deployment server
Restarted all Splunk infrastructure
Splunk version : Entreprise 6.3.2
Can you please help me figure why Splunk seems still using old database datas even it doesn't exists anymore?
Since I've updated the script to use License Key (just replace "MYLICENSEKEY" by your own in the script) everything is working smoothly again and my customer is happier to have threat source locations on their dashboards 😉
I hope this answer is hepling you to get correct the issue you are facing as it seems pretty similar to the one I faced.