Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

MaxMind DB Usage (more than just City): How to store and link DBs?

frog22
Explorer
‎01-15-2021 10:55 AM

All,

Hopefully I have this in the correct location, I'm still new to all of this.

Anyway, we have a subscription to MaxMind databases (Connection-Type, Domain, and ISP databases) and I would like to implement them, but don't know how.  I don't know where to store the DB's, how to link them together (if they need to be linked), and how to add them so that I utilize them in searches.

I'm fairly new to Splunk, so feel free to treat me like someone who doesn't know anything.

Greatly appreciate your help with this!

Kevin

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 08:16 PM

I've never done that before.
It seems to be provided as a CSV file, so why don't you register it as a lookup?

0 Karma
Reply

frog22
Explorer
‎01-21-2021 04:13 PM

to4kawa,

 

Lookups may be a possibility, but it's beyond my skill level and it adds layers of complication to the maintenance....

 

1. Updates come out weekly

2. There are 2 csv files per 1 mmdb file (6 csv files, 3 mmdb files), which will require a total of 6 lookups to maintain and run queries against

3. The csv files / mmdb's utilize subnet ranges (IPV4 & IPV6 address ranges).....1.0.64.0/24, 78.129.0.0/17, 185.91.188.0/22, 2001:218:3000::/46, 2001:410:80::/37, 2a00:df0::/32, 2a04:f580:9240::/48

4. The csv files utilize both IPV4 and IPV6 addresses

 

I'm totally open to suggestions, though.  Thanks!!

0 Karma
Reply

to4kawa
Ultra Champion
‎01-15-2021 02:01 PM

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Iplocation

check Updating the MMDB file

0 Karma
Reply

frog22
Explorer
‎01-15-2021 08:00 PM

to4kawa, while I appreciate the assistance that is already information I have.  I'm able to replace/update the Geolocation data, but there are 3 other databases worth of information that are not Geolocation data.  Since they are, collectively, 4 independent databases I'm trying to figure out how to implement them in Splunk as I believe the other 3 require the ID field in the City database in order to correlate information within the individual databases.

0 Karma
Reply

jnhth
Explorer
‎05-17-2022 03:24 AM

did you find a solution for this?

0 Karma
Reply

hughkelley
Path Finder
‎11-28-2022 01:52 PM

In Splunk Cloud, CSVs are one way to go.   We did this with the free ASN DB when we moved to cloud (couldn't get https://splunkbase.splunk.com/app/3531 for cloud). 

In short,  it's a CSV-backed lookup with a CIDR match type over the column/field with the network range.

We're also looking at https://splunkbase.splunk.com/app/3022 now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...