Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

storing geoIP data

awurster
Contributor
‎12-03-2014 04:16 PM

looking for advice on how to best save location and other data enrichment attributes (specifically in 6.x and forward compatibility). what's the best way to store / cache enrichment data such as GeoIP?

saved searches? data models? streamstats? collect?

we are looking to do SIEM type lookups against blacklists, geoIP, etc but would like to cache the data within splunk or perhaps even externally in a data store for future reference.

how are other folks doing this?

0 Karma
Reply

davidpaper
Contributor
‎03-27-2016 07:58 PM

Better late than never ...

So there are a couple of options to store GeoIP data.

1) If you have customer GeoIP data, create your own GeoIP DB. https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/ is a godo start.

2) If you don't want to do #1, or you want to use multiple GeoIP DBs in Splunk concurrently (which we don't currently support), leave the one that comes w/ Splunk in place, and create a lookup table with your GeoIP data in it. If you have multiple GeoIP sources, use multiple lookups, named appropriately.

3) kvstore. Now that kvstore can can be replicated to the indexers (6.3+), you could create a GeoIP collection in the kvstore, one collection per GeoIP DB to reference, and then call it/them when you want to. kvstore will likely scale better as its mongodb behind the scenes than plain text lookups.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...