Hopefully I have this in the correct location, I'm still new to all of this.
Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like to implement them, but don't know how. I don't know where to store the DB's, how to link them together (if they need to be linked), and how to add them so that I utilize them in searches.
I'm fairly new to Splunk, so feel free to treat me like someone who doesn't know anything.
Greatly appreciate your help with this!
Lookups may be a possibility, but it's beyond my skill level and it adds layers of complication to the maintenance....
1. Updates come out weekly
2. There are 2 csv files per 1 mmdb file (6 csv files, 3 mmdb files), which will require a total of 6 lookups to maintain and run queries against
3. The csv files / mmdb's utilize subnet ranges (IPV4 & IPV6 address ranges).....184.108.40.206/24, 220.127.116.11/17, 18.104.22.168/22, 2001:218:3000::/46, 2001:410:80::/37, 2a00:df0::/32, 2a04:f580:9240::/48
4. The csv files utilize both IPV4 and IPV6 addresses
I'm totally open to suggestions, though. Thanks!!
to4kawa, while I appreciate the assistance that is already information I have. I'm able to replace/update the Geolocation data, but there are 3 other databases worth of information that are not Geolocation data. Since they are, collectively, 4 independent databases I'm trying to figure out how to implement them in Splunk as I believe the other 3 require the ID field in the City database in order to correlate information within the individual databases.
In Splunk Cloud, CSVs are one way to go. We did this with the free ASN DB when we moved to cloud (couldn't get https://splunkbase.splunk.com/app/3531 for cloud).
In short, it's a CSV-backed lookup with a CIDR match type over the column/field with the network range.
We're also looking at https://splunkbase.splunk.com/app/3022 now.