- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We are getting issues with iplocation command wherein it is showing wrong Country for some of the IPs. Actually, we tried replacing the current Geolite2-city.mmdb file with the latest one from maxmind site and restarted Splunk several times. But, still it is not showing the location properly. Our Splunk setup is a distributed architecture, so whether we need to update the mmdb file on both search heads and indexers ?
As per iplocation documentation : https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Iplocation
" The MMDB file and distributed deployments:
The iplocation command is a distributable streaming command, which means that it can be processed on the indexers. The share directory is not part of the knowledge bundle. If you update the MMDB file in the share directory, the updated file is not automatically sent to the indexers in a distributed deployment. To add the MMDB file to the indexers, use the tools that you typically use to push files to the indexers."
For e.g. IP 185.183.105.138 belongs to Italy, but somehow it is showing as "United Kingdom" in Splunk. Please help resolve this issue.
Thanks
PG
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I did that, but still it was not working. I have figured out the issue. I was putting iplocation command first and then I was doing stats count, due to which it was not showing proper location for some Country.
After putting, iplocation command after stats count, it was showing the location as proper. I got the solution from below splunk answer :
https://answers.splunk.com/answers/435948/iplocation-query-returning-wrong-location-for-some.html
Now the issue is resolved.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We were facing the same issue and I stumbled over this thread in search for possible causes. As I did not find one but eventually found the cause for the different locations of IPs depending on where iplocation is used in the search, I wanted to share it.
The given and accepted answer above is misleading / incomplete (it does not explain the different results depending on where in the search iplocation is used)
We experienced the behaviour when using iplocation in conjunction with eventstats.
When iplocation was used before eventstats, the location was correct, when used after eventstats, it was wrong.
Cause:
Eventstats (as well as stats) is a data processing / non-streaming command (-> it runs on the search head). Iplocation is a distributable streaming command (-> it can run on the indexer).
So using IP location BEFORE eventstats (and right after the base search) makes it run on the indexers.
When using iplocation AFTER eventstats it runs on the search head.
The reason for yielding different location results was due to different iplocation database versions (GeoLite2..) on search head and indexers.
So make sure, your geo location db is up-to-date and identical on all your Splunk components then iplocation yields the same results regardless where it is used in the search.
Where you place it depends on your search.
Usually it is advisable to enrich AFTER transforming/aggregations commands like stats or eventstats. But as iplocation is a distributable streaming command it might perform better when it can run on the indexers instead of the search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may need to update your iplocation source database. Check out this link. Also, ensure that its not an internal IP.
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Iplocation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I did that, but still it was not working. I have figured out the issue. I was putting iplocation command first and then I was doing stats count, due to which it was not showing proper location for some Country.
After putting, iplocation command after stats count, it was showing the location as proper. I got the solution from below splunk answer :
https://answers.splunk.com/answers/435948/iplocation-query-returning-wrong-location-for-some.html
Now the issue is resolved.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pgadhari please accept your own answer to mark this question as answered and also help others facing similar issue!
PS: Ideally, you should perform stats (transformation) first and iplocation(enrichment) afterwards wherever possible. Refer to documentation around similar lines: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_se...
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
may we know if you updated the iplocationat the limits.conf.spec file:
[iplocation] db_path = /something-Like/Applications/splunk612/share/GeoLite2-City-201407.mmdb
https://www.splunk.com/blog/2014/07/22/updating-the-iplocation-db.html
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
guys, anybody has faced this issues before, please help ?
