- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- MaxMind DB Usage (more than just City): How to sto...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
MaxMind DB Usage (more than just City): How to store and link DBs?
All,
Hopefully I have this in the correct location, I'm still new to all of this.
Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like to implement them, but don't know how. I don't know where to store the DB's, how to link them together (if they need to be linked), and how to add them so that I utilize them in searches.
I'm fairly new to Splunk, so feel free to treat me like someone who doesn't know anything.
Greatly appreciate your help with this!
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I've never done that before.
It seems to be provided as a CSV file, so why don't you register it as a lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
to4kawa,
Lookups may be a possibility, but it's beyond my skill level and it adds layers of complication to the maintenance....
1. Updates come out weekly
2. There are 2 csv files per 1 mmdb file (6 csv files, 3 mmdb files), which will require a total of 6 lookups to maintain and run queries against
3. The csv files / mmdb's utilize subnet ranges (IPV4 & IPV6 address ranges).....1.0.64.0/24, 78.129.0.0/17, 185.91.188.0/22, 2001:218:3000::/46, 2001:410:80::/37, 2a00:df0::/32, 2a04:f580:9240::/48
4. The csv files utilize both IPV4 and IPV6 addresses
I'm totally open to suggestions, though. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation
check Updating the MMDB file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
to4kawa, while I appreciate the assistance that is already information I have. I'm able to replace/update the Geolocation data, but there are 3 other databases worth of information that are not Geolocation data. Since they are, collectively, 4 independent databases I'm trying to figure out how to implement them in Splunk as I believe the other 3 require the ID field in the City database in order to correlate information within the individual databases.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
did you find a solution for this?
It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!
Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>
Or Learn More in Our Blog >>
