Splunk Search

Is it possible to extend events by IP address geolocation recognition?

max_szulc
New Member

Is it possible to extend (either at index or search-time) events by geolocation - considering a long enough period where a single address can correspond to multiple locations (and vice versa), as well as keeping old locations despite updating geolocation db?

0 Karma

jplumsdaine22
Influencer

Short answer is yes. There is even a built in command called iplocation see http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Iplocation

However you mention you also want to track historical information on ip location. Personally I would not use Splunk for the second part but it is feasible using lookup tables or a kv store. Familiarise yourself with how to do lookups and geolocation commands first. I would tackle the historical data problem when you have a firm handle on how to get what you want from splunk with current data.

max_szulc
New Member

I am aware of lookup tables and static databases. I theorised that I could extend an event by geolocation data by maintaining a geolocation db folder and performing a lookup from db's there where db names are basically named in timelike format and proper db can be chosen based on event timestamp.

That however creates a problem with maintaining an ever-increasing historical database folder, where size is dependant on frequency of downloading every new db, so it's actually a size/accuracy reverse proportion.

For a single indexer I am not sure how feasible that would be, even after having managed automatic geolocation db downloading and naming.

I am aware of iplocation command, but there was a thread where a user determined that the source is a set database ipv4.geodb and iso3166 mappings. The latter I can find in my /splunk/share, the former I assume has been replaced by GeoLite2-City.mmdb. In the thread I refer to, an answer was given, that an old ipv4.geodb had been updated every two months, which unfortunately is not often enough for security purposes, hence I suppose I need to use external geolocation db source.

Almost a year has passed since the thread that I mention, so I suppose a lot could change in that deparment - has it? However, even in such a case, I still don't know how to maintain historical location data for ip addresses.

0 Karma

jplumsdaine22
Influencer

If you want more frequently updated IP location info it is going to cost you money - here's is MaxMind's pricing page: https://www.maxmind.com/en/geoip2-databases

As I said I would get a firm handle on your live information first before going down the historical route.

For the historical I would save all the data from your location provider into a separate database and use a script or the dbconnect app to get the data into a splunk search.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...