Solved: Re: Spontaneous "Health Check" error messages repo...

woodcock · ‎04-27-2019

We are getting the following errors on our Enterprise Security Search Head and are wondering why and how to fix them:

Health Check: Intelligence download of "maxmind_geoip_asn_ipv6" has failed on host "ES_Search_Head_Host" at: Sat Apr 27 20:45:45 2019 "threat list download failed after multiple retries"  Learn more.
4/27/2019, 9:00:31 PM
Health Check: Intelligence download of "maxmind_geoip_asn_ipv4" has failed on host "ES_Search_Head_Host" at: Sat Apr 27 20:45:45 2019 "threat list download failed after multiple retries"  Learn more.
4/27/2019, 9:00:31 PM

If I have to, I will dig into it and figure it out and followup here, but I am hoping that somebody has already figured it out.

MuS · ‎07-30-2019

Just installed ES 5.3.0 and the old URL is still used, but it is disabled. Here is the new URL https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip to download the file.

cheers, MuS

View solution in original post

MuS · ‎07-30-2019

Just installed ES 5.3.0 and the old URL is still used, but it is disabled. Here is the new URL https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip to download the file.

cheers, MuS

alexeyglukhov · ‎11-05-2020

Just wanted to provide an update in case someone faced the issue.

Latest URL looks like this:

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN-CSV&license_key=YOUR_LICENSE_KEY_HERE&suffix=zip

License key you can generate in your profile when you register on maxmind website.

MuS · ‎08-28-2019

The download works fine using http or https, to me it looks the post processing of the files fails in ES. For now I just use a work around and download the file by cronjob, put the csv into the lookup folder and use the lookup:// URL in ES.

cheers, MuS

spectrum2035 · ‎08-28-2019

@MuS - whether it is downloading with the new link? I am still getting the same error

woodcock · ‎04-28-2019

Go to Enterprise Security -> Configure -> Data Enrichment -> Intelligence Downloads and search for maxmind. You will see 2 entries and these have the following URLs:

https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip
https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2v6.zip

As expected, these URLs are no longer valid. I found this link with more details:
https://support.maxmind.com/geolite-legacy-discontinuation-notice/

I am on ES v5.1.0 which is not the latest and I assume that the later versions have already accommodated this discontinuation. For now, until I upgrade, I have just disabled these 2 feeds, since we are not using them anyway.

woodcock · ‎08-28-2019

@ppablo_splunk You should unaccept my answer and accept the one from @MuS.

ppablo · ‎08-29-2019

Thanks @woodcock !

Spontaneous "Health Check" error messages reported on ES Search Head regardng "maxmind_geoip_asn_ipv6" failed download?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Spontaneous "Health Check" error messages reported on ES Search Head regardng "maxmind_geoip_asn_ipv6" failed download?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability