Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

storing geoIP data

awurster
Contributor
‎12-03-2014 04:16 PM

looking for advice on how to best save location and other data enrichment attributes (specifically in 6.x and forward compatibility). what's the best way to store / cache enrichment data such as GeoIP?

saved searches? data models? streamstats? collect?

we are looking to do SIEM type lookups against blacklists, geoIP, etc but would like to cache the data within splunk or perhaps even externally in a data store for future reference.

how are other folks doing this?

0 Karma
Reply

davidpaper
Contributor
‎03-27-2016 07:58 PM

Better late than never ...

So there are a couple of options to store GeoIP data.

1) If you have customer GeoIP data, create your own GeoIP DB. https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/ is a godo start.

2) If you don't want to do #1, or you want to use multiple GeoIP DBs in Splunk concurrently (which we don't currently support), leave the one that comes w/ Splunk in place, and create a lookup table with your GeoIP data in it. If you have multiple GeoIP sources, use multiple lookups, named appropriately.

3) kvstore. Now that kvstore can can be replicated to the indexers (6.3+), you could create a GeoIP collection in the kvstore, one collection per GeoIP DB to reference, and then call it/them when you want to. kvstore will likely scale better as its mongodb behind the scenes than plain text lookups.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...