Splunk Search

MaxMind DB Usage (more than just City): How to store and link DBs?

frog22
Explorer

All,

Hopefully I have this in the correct location, I'm still new to all of this.

Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like to implement them, but don't know how.  I don't know where to store the DB's, how to link them together (if they need to be linked), and how to add them so that I utilize them in searches.

I'm fairly new to Splunk, so feel free to treat me like someone who doesn't know anything.

Greatly appreciate your help with this!

Kevin

Labels (1)
0 Karma

to4kawa
Ultra Champion

I've never done that before.
It seems to be provided as a CSV file, so why don't you register it as a lookup?

0 Karma

frog22
Explorer

to4kawa,

 

Lookups may be a possibility, but it's beyond my skill level and it adds layers of complication to the maintenance....

 

1. Updates come out weekly

2. There are 2 csv files per 1 mmdb file (6 csv files, 3 mmdb files), which will require a total of 6 lookups to maintain and run queries against

3. The csv files / mmdb's utilize subnet ranges (IPV4 & IPV6 address ranges).....1.0.64.0/24, 78.129.0.0/17, 185.91.188.0/22, 2001:218:3000::/46, 2001:410:80::/37, 2a00:df0::/32, 2a04:f580:9240::/48

4. The csv files utilize both IPV4 and IPV6 addresses

 

I'm totally open to suggestions, though.  Thanks!!

0 Karma

to4kawa
Ultra Champion
0 Karma

frog22
Explorer

to4kawa, while I appreciate the assistance that is already information I have.  I'm able to replace/update the Geolocation data, but there are 3 other databases worth of information that are not Geolocation data.  Since they are, collectively, 4 independent databases I'm trying to figure out how to implement them in Splunk as I believe the other 3 require the ID field in the City database in order to correlate information within the individual databases.

0 Karma

jnhth
Explorer

did you find a solution for this?

0 Karma

hughkelley
Path Finder

In Splunk Cloud, CSVs are one way to go.   We did this with the free ASN DB when we moved to cloud (couldn't get https://splunkbase.splunk.com/app/3531 for cloud). 

In short,  it's a CSV-backed lookup with a CIDR match type over the column/field with the network range.

We're also looking at https://splunkbase.splunk.com/app/3022 now.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...