I am aware of lookup tables and static databases. I theorised that I could extend an event by geolocation data by maintaining a geolocation db folder and performing a lookup from db's there where db names are basically named in timelike format and proper db can be chosen based on event timestamp.
That however creates a problem with maintaining an ever-increasing historical database folder, where size is dependant on frequency of downloading every new db, so it's actually a size/accuracy reverse proportion.
For a single indexer I am not sure how feasible that would be, even after having managed automatic geolocation db downloading and naming.
I am aware of iplocation command, but there was a thread where a user determined that the source is a set database ipv4.geodb and iso3166 mappings. The latter I can find in my /splunk/share, the former I assume has been replaced by GeoLite2-City.mmdb. In the thread I refer to, an answer was given, that an old ipv4.geodb had been updated every two months, which unfortunately is not often enough for security purposes, hence I suppose I need to use external geolocation db source.
Almost a year has passed since the thread that I mention, so I suppose a lot could change in that deparment - has it? However, even in such a case, I still don't know how to maintain historical location data for ip addresses.
... View more