Splunk Enterprise

Is IPGeo location a built in feature of Splunk or is that an Add-on?

Gregski11
Contributor

we upgraded our Splunk search heads from 8.x to 9.x and our customers report a discrepency in their IPGeo location searches, where version 8.x.x was reporting a different city for the same IP address as 9.x.x is reporting.

I thought ok, let me go upgrade the what ever IPGeo add-on app to the latest version (or to the same version on both Splunk servers) but I don't know what app I am looking for or if even that is a separate app or somehow part of the general Splunk code.

your feedback is greatly appreciated 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The default geolocation database changes with every release.  The new database may produce different (hopefully more accurate) results than older versions.

You can update the database yourself, if it's in MMDB format.  See https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db and https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Iplocation for tips on that.

There is an app available to keep the database current.  See https://splunkbase.splunk.com/app/5482/ .

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The default geolocation database changes with every release.  The new database may produce different (hopefully more accurate) results than older versions.

You can update the database yourself, if it's in MMDB format.  See https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db and https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Iplocation for tips on that.

There is an app available to keep the database current.  See https://splunkbase.splunk.com/app/5482/ .

---
If this reply helps you, Karma would be appreciated.

Gregski11
Contributor

@richgalloway wrote:

The default geolocation database changes with every release.  The new database may produce different (hopefully more accurate) results than older versions.

You can update the database yourself, if it's in MMDB format.  See https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db and https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Iplocation for tips on that.

There is an app available to keep the database current.  See https://splunkbase.splunk.com/app/5482/ .


thank you so much Rich this really helps, it does appear as though the first two links you posted lead to the same location, was that what you expected?

 

https://www.splunk.com/en_us/blog/tips-and-tricks/updating-the-iplocation-db

 

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/SearchReference/Iplocation

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That was not the intent and I have fixed the links.  Thanks for pointing it out.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...