Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is the iplocation command compatible with the commercial version of MAXMIND mmdb?

lohitkidu
Path Finder
‎06-10-2016 12:41 AM

I am evaluating the commercial version of MAXMIND city DB(mmdb) and would like to replace it with the free version that ships out with Splunk. Commercial version of City mdb seems to have more fields than its free version so I would like to know whether the upgrade will break the iplocation in any way or will the iplocation command even display the fields exclusive to commercial version?

For reference:
1) iplocation
http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/iplocation
City, Continent, Country, Region, MetroCode, Timezone, lat (latitude), and lon (longitude).

2) maxmind

https://www.maxmind.com/en/geoip2-city

Includes the following fields:
Continent
Country
Country of Registration (GeoIP2 Only)
Country Represented and Type of Representation (For military bases) (GeoIP2 Only)
Subdivisions (GeoIP2 MMDB Format Only; GeoIP Legacy contains one region)
City Name
Postal Code
Latitude
Longitude (Latitude and Longitude are often near the center of population. These values are not precise and should not be used to identify a particular address or household.)
Accuracy Radius
Metro Code (US only)
Time zone
GeoNames IDs (for localization and pairing outside data; GeoIP2 only)

Any ideas ?

Tags (2)
Reply

aholzel
Communicator
‎09-27-2016 11:35 AM

you can change the free database with the commercial one and it will work, you don't get the extra fields however.

if you create an limits.conf and use the "db_path" option you can point splunk to the new database and don't have to replace the existing one.

also see: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Biplocation.5D

Reply

ifotopoulos
Explorer
‎12-16-2017 03:48 AM

Do you by any chance know how you can change the default iplocation command to return the extra fields that come with the premium version?

I'm struggling locating the iplocation script, it's not in etc/apps/search/bin as expected.

0 Karma
Reply

aholzel
Communicator
‎12-25-2017 04:48 AM

That is not possible... the iplocation command is a build in command, it is build in the core code of splunk so you can't change it... what I did was create a custom command that pulled the fields from the database. It is some time ago that I did this but I can have al look to see if I can find the code.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...