Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

storing geoIP data

awurster
Contributor
‎12-03-2014 04:16 PM

looking for advice on how to best save location and other data enrichment attributes (specifically in 6.x and forward compatibility). what's the best way to store / cache enrichment data such as GeoIP?

saved searches? data models? streamstats? collect?

we are looking to do SIEM type lookups against blacklists, geoIP, etc but would like to cache the data within splunk or perhaps even externally in a data store for future reference.

how are other folks doing this?

0 Karma
Reply

davidpaper
Contributor
‎03-27-2016 07:58 PM

Better late than never ...

So there are a couple of options to store GeoIP data.

1) If you have customer GeoIP data, create your own GeoIP DB. https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/ is a godo start.

2) If you don't want to do #1, or you want to use multiple GeoIP DBs in Splunk concurrently (which we don't currently support), leave the one that comes w/ Splunk in place, and create a lookup table with your GeoIP data in it. If you have multiple GeoIP sources, use multiple lookups, named appropriately.

3) kvstore. Now that kvstore can can be replicated to the indexers (6.3+), you could create a GeoIP collection in the kvstore, one collection per GeoIP DB to reference, and then call it/them when you want to. kvstore will likely scale better as its mongodb behind the scenes than plain text lookups.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...