Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

MMDB Updating

willadams
Contributor
‎05-14-2021 07:11 AM

I have a Cluster Master with a couple of indexers in a cluster.  I have a search head that obviously references the indexers.  I need to update MMDB and have been able to download the file.  I am going to follow various other guides that I have found around updating this process by basically doing something like https://github.com/georgestarcher/TA-geoip.  The intent was to

  1. Create a new "app" called something similar on my cluster master under "Master Apps".
  2. Push the app via cluster master to my local indexers and let the cluster push this as a "Slave App" to the indexers.

The SPLUNK doco advises that "iplocation" is a distributed search, meaning it will use one of the indexers when the query is run.  What is not clear is whether or not I need to update it on my Search Heads as well.  If it is using the indexers when the command is run, is there a need to do in on the search heads as well?  I suspect the answer with most things like this is to just updated it on the indexers and search heads to avoid unwanted problems but thought I would check in case I missed something.  

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2021 08:05 AM

Install the MMDB file on your search heads as well.  The "unwanted problem" to avoid is an iplocation command running on an SH (because it follows a non-distributable command) and using the wrong location database.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎05-14-2021 05:56 PM
  • Thanks Rich.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2021 08:05 AM

Install the MMDB file on your search heads as well.  The "unwanted problem" to avoid is an iplocation command running on an SH (because it follows a non-distributable command) and using the wrong location database.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...