icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Auto Update MaxMind Database
SHA256 checksum (auto-update-maxmind-database_110.tgz) b280fcf48c1806b55a98dfbaa57ea799c33d69b43f7e76633d64dc9f53ab74c4 SHA256 checksum (auto-update-maxmind-database_104.tgz) 804c2ba77f033429893b7fc55c39047833e1f64bcbe9b3373c621ac90bfbfa10 SHA256 checksum (auto-update-maxmind-database_103.tgz) 546df937fbafc12565f5a0318ea768fd1e94f19272118025086a31516ebb15a6 SHA256 checksum (auto-update-maxmind-database_102.tgz) fc730102661ff94cb5b84635b08f6c0cf7a9667e6812afabe56e18f7008f4c4e SHA256 checksum (auto-update-maxmind-database_101.tgz) e5cad6f76b84289946ebbc3c9811a52ece73dda908ac8978cb56032b7d2a78e5 SHA256 checksum (auto-update-maxmind-database_100.tgz) 5992487a2cca35a9f291f4968fd97910abc0df2ef5c993cfd4cfef926af86616
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Auto Update MaxMind Database

Overview
Details
The Splunk app auto updates MaxMind database (used for `iplocation` command).
The database update happens automatically every week. Also, user can update database just by running a search query.

This App is automation of steps mentioned here - https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file

Splunk-App-Auto-Update-MaxMind-Database

Splunk App that auto updates the max-mind database (used for iplocation command)

Find Sourcecode on GitHub - https://github.com/CrossRealms/Splunk-App-Auto-Update-MaxMind-Database

OVERVIEW

The Splunk app auto updates MaxMind database. The database update happens automatically every week. Also, user can update database just by running a search query. This is automation of steps mentioned here - https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file

  • Creates Index - False
  • Compatible with:
  • OS: Platform independent
  • Browser: Google Chrome, Mozilla Firefox, Safari

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

This app can be set up in two ways:
1. Standalone Mode:
* Install the Auto Update MaxMind Database.
* App setup is required.
2. Distributed Mode:
* Install the Auto Update MaxMind Database only on the search head.
* App setup is required on SH.
* App installation is not required on any other instance.

INSTALLATION

Follow the below-listed steps to install an App from the bundle:

  • Download the App package.
  • From the UI navigate to Apps > Manage Apps.
  • In the top right corner select Install app from file.
  • Select Choose File and select the App package.
  • Select Upload and follow the prompts.

CONFIGURATION

  • Open the App and perform the configuration.
  • The complete details about configuration is present on the dashboard directly.
  • See troubleshooting for more details.

INSTALLATION AND CONFIGURATION FOR INDEXER CLUSTER

  • iplocation is distributed command, so based on search queries Splunk will decide whether the command is executed on SH or indexers. So it is recommended to deploy the App on Search Head as well as on indexers.
  • Follow below steps to deploy App on indexers.

Way-1: Deploy on all indexers from cluster master.

Note - If you do not want to add Max Mind License key in plain text, use Way-2.

  • App will be pushed from cluster master so, you don't have to deploy App manually on each indexer separately.
  • Download the App build from Splunkbase.
  • Extract the downloaded app build on Cluster master's $SPLUNK_HOME/etc/master-apps/ directory.
  • Create local directory under $SPLUNK_HOME/etc/master-apps/splunk_maxmind_db_auto_update/.
  • Add app.conf file in the newly created local folder.
[install]
is_configured = 1
  • Add passwords.conf file in the newly created local folder. And replace <LICENSE_KEY> in the below code with your MaxMind license key.
[credential:splunk_maxmind_db_auto_update:max_mind_license_key``splunk_cred_sep``1:]
password = <LICENSE_KEY>

Way-2: Deploy on each indexer manually

Follow INSTALLATION and CONFIGURATION section from above to install and deploy app on indexer. The process is same as hwo you deploy App on Search Head.

UNINSTALL APP

To uninstall app, user can follow below steps: * SSH to the Splunk instance * Go to folder apps($SPLUNK_HOME/etc/apps) * Remove the splunk_maxmind_db_auto_update folder from apps directory * Restart Splunk

KNOWN LIMITATION

  • NA

OPEN SOURCE COMPONENTS AND LICENSES

  • NA

TROUBLESHOOTING

  • Update database manually.
  • Run | maxminddbupdate search from the Auto Update MaxMind Database App.
  • In ideal scenario, it should show message Max Mind Database updated successfully..
  • Confirm that the database location has been updated:
  • Run | rest /services/configs/conf-limits splunk_server=local | search title="iplocation" | table title, db_path.
  • The results should show /opt/splunk/etc/apps/splunk_maxmind_db_auto_update/local/mmdb/GeoLite2-City.mmdb. Where /opt/splunk is your Splunk home path, it could be different in your environment.

NOTES FOR SPLUNK CLOUD CUSTOMERS

I have tested the App on Splunk Cloud (Experience: Victoria). The installation and configuration work fine.
The App does not work on Classic Experience as the App involves inputs.conf to update DB on search heads which is not allowed in Classic Experience.

The iplocation command is a distributed command so it executes on the Indexers. But in Splunk Cloud we have no way to update the latest MaxMind DB file on the Indexers.
I had chat with Splunk Cloud engineers about it as well, but currently there is no way to acheive this in Splunk Cloud.

Cloud customers can still use the App. It's still better than having nothing, as I have tested the scenario below in Splunk Cloud distributed Search Head and Indexers cluster environment.

  • When iplocation command executes on the Indexer you would have no difference installing and not having Auto Update MaxMind Database App.
  • When iplocation command executes on the Search Head (generally it happens if there is transforming command before iplocation command), in that case the new MaxMind DB updated by the App will be used and then user would have better chance of getting accurate information.

Another note to consider is that there are mutliple IP location database out there, they usually differ in location slightly anyways.

So, for Splunk Cloud customers (Victoria Experience) it improves the accuracy without manual intervention.

Most Accurate Solution for Splunk Cloud customers would be to update the MaxMind Database manually regularly with below steps (But most customers don't want to perform manual steps daily. It does not sound feasible for most customers.):

  • Go to Settings > Lookups > GeoIP lookups file.
  • Upload the latest MaxMind DB file manually.

SUPPORT

  • Contact - CrossRealms International Inc.
  • US: +1-312-2784445
  • Copyright - Copyright CrossRealms Internationals, 2021

Release Notes

Version 1.1.0
June 10, 2022

Provided support for search head cluster and resolve cloud app-inspect issue.
(Now the App updates MaxMind DB with scripted input that runs on all Search Heads in Search Head Cluster instead of scheduled search which executes only on one SH.)

Version 1.0.4
Dec. 6, 2021

Added app.manifest file for Splunk-cloud.

Version 1.0.3
Aug. 25, 2021

Changes to make compatible with the latest Splunk AppInspect - Dashboards version changed to 1.1.

Version 1.0.2
June 28, 2021
  • Fixed the issue in the python custom command for detecting extracted directory for mmdb.
Version 1.0.1
April 12, 2021
  • App created based on URL from March 2021 on MaxMind to download the database.
  • Added better error handling.
Version 1.0.0
March 30, 2021
  • App created based on URL from March 2021 on MaxMind to download the database.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.