Is it possible to extend (either at index or search-time) events by geolocation - considering a long enough period where a single address can correspond to multiple locations (and vice versa), as well as keeping old locations despite updating geolocation db?
Short answer is yes. There is even a built in command called
iplocation see http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Iplocation
However you mention you also want to track historical information on ip location. Personally I would not use Splunk for the second part but it is feasible using lookup tables or a kv store. Familiarise yourself with how to do lookups and geolocation commands first. I would tackle the historical data problem when you have a firm handle on how to get what you want from splunk with current data.
I am aware of lookup tables and static databases. I theorised that I could extend an event by geolocation data by maintaining a geolocation db folder and performing a lookup from db's there where db names are basically named in timelike format and proper db can be chosen based on event timestamp.
That however creates a problem with maintaining an ever-increasing historical database folder, where size is dependant on frequency of downloading every new db, so it's actually a size/accuracy reverse proportion.
For a single indexer I am not sure how feasible that would be, even after having managed automatic geolocation db downloading and naming.
I am aware of iplocation command, but there was a thread where a user determined that the source is a set database ipv4.geodb and iso3166 mappings. The latter I can find in my /splunk/share, the former I assume has been replaced by GeoLite2-City.mmdb. In the thread I refer to, an answer was given, that an old ipv4.geodb had been updated every two months, which unfortunately is not often enough for security purposes, hence I suppose I need to use external geolocation db source.
Almost a year has passed since the thread that I mention, so I suppose a lot could change in that deparment - has it? However, even in such a case, I still don't know how to maintain historical location data for ip addresses.
If you want more frequently updated IP location info it is going to cost you money - here's is MaxMind's pricing page: https://www.maxmind.com/en/geoip2-databases
As I said I would get a firm handle on your live information first before going down the historical route.
For the historical I would save all the data from your location provider into a separate database and use a script or the dbconnect app to get the data into a splunk search.