Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

MaxMind DB Usage (more than just City): How to store and link DBs?

frog22
Explorer
‎01-15-2021 10:55 AM

All,

Hopefully I have this in the correct location, I'm still new to all of this.

Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like to implement them, but don't know how.  I don't know where to store the DB's, how to link them together (if they need to be linked), and how to add them so that I utilize them in searches.

I'm fairly new to Splunk, so feel free to treat me like someone who doesn't know anything.

Greatly appreciate your help with this!

Kevin

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 08:16 PM

I've never done that before.
It seems to be provided as a CSV file, so why don't you register it as a lookup?

0 Karma
Reply

frog22
Explorer
‎01-21-2021 04:13 PM

to4kawa,

 

Lookups may be a possibility, but it's beyond my skill level and it adds layers of complication to the maintenance....

 

1. Updates come out weekly

2. There are 2 csv files per 1 mmdb file (6 csv files, 3 mmdb files), which will require a total of 6 lookups to maintain and run queries against

3. The csv files / mmdb's utilize subnet ranges (IPV4 & IPV6 address ranges).....1.0.64.0/24, 78.129.0.0/17, 185.91.188.0/22, 2001:218:3000::/46, 2001:410:80::/37, 2a00:df0::/32, 2a04:f580:9240::/48

4. The csv files utilize both IPV4 and IPV6 addresses

 

I'm totally open to suggestions, though.  Thanks!!

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 02:01 PM

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation

check Updating the MMDB file

0 Karma
Reply

frog22
Explorer
‎01-15-2021 08:00 PM

to4kawa, while I appreciate the assistance that is already information I have.  I'm able to replace/update the Geolocation data, but there are 3 other databases worth of information that are not Geolocation data.  Since they are, collectively, 4 independent databases I'm trying to figure out how to implement them in Splunk as I believe the other 3 require the ID field in the City database in order to correlate information within the individual databases.

0 Karma
Reply

jnhth
Explorer
‎05-17-2022 03:24 AM

did you find a solution for this?

0 Karma
Reply

hughkelley
Path Finder
‎11-28-2022 01:52 PM

In Splunk Cloud, CSVs are one way to go.   We did this with the free ASN DB when we moved to cloud (couldn't get https://splunkbase.splunk.com/app/3531 for cloud). 

In short,  it's a CSV-backed lookup with a CIDR match type over the column/field with the network range.

We're also looking at https://splunkbase.splunk.com/app/3022 now.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...