Splunk App that auto updates the max-mind database (used for
Find Sourcecode on GitHub - https://github.com/CrossRealms/Splunk-App-Auto-Update-MaxMind-Database
The Splunk app auto updates MaxMind database. The database update happens automatically every week. Also, user can update database just by running a search query. This is automation of steps mentioned here - https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/Iplocation#Updating_the_MMDB_file
This app can be set up in two ways:
1. Standalone Mode:
* Install the
Auto Update MaxMind Database.
* App setup is required.
2. Distributed Mode:
* Install the
Auto Update MaxMind Database only on the search head.
* App setup is required on SH.
* App installation is not required on any other instance.
Follow the below-listed steps to install an App from the bundle:
Apps > Manage Apps.
Install app from file.
Choose Fileand select the App package.
Uploadand follow the prompts.
iplocationis distributed command, so based on search queries Splunk will decide whether the command is executed on SH or indexers. So it is recommended to deploy the App on Search Head as well as on indexers.
Note - If you do not want to add Max Mind License key in plain text, use
app.conffile in the newly created local folder.
[install] is_configured = 1
passwords.conffile in the newly created local folder. And replace
<LICENSE_KEY>in the below code with your MaxMind license key.
[credential:splunk_maxmind_db_auto_update:max_mind_license_key``splunk_cred_sep``1:] password = <LICENSE_KEY>
CONFIGURATION section from above to install and deploy app on indexer. The process is same as hwo you deploy App on Search Head.
To uninstall app, user can follow below steps:
* SSH to the Splunk instance
* Go to folder apps($SPLUNK_HOME/etc/apps)
* Remove the
splunk_maxmind_db_auto_update folder from apps directory
* Restart Splunk
| maxminddbupdatesearch from the
Auto Update MaxMind DatabaseApp.
Max Mind Database updated successfully..
| rest /services/configs/conf-limits splunk_server=local | search title="iplocation" | table title, db_path.
/opt/splunkis your Splunk home path, it could be different in your environment.
I have tested the App on Splunk Cloud (Experience: Victoria). The installation and configuration work fine.
The App does not work on Classic Experience as the App involves inputs.conf to update DB on search heads which is not allowed in Classic Experience.
iplocation command is a distributed command so it executes on the Indexers. But in Splunk Cloud we have no way to update the latest MaxMind DB file on the Indexers.
I had chat with Splunk Cloud engineers about it as well, but currently there is no way to acheive this in Splunk Cloud.
Cloud customers can still use the App. It's still better than having nothing, as I have tested the scenario below in Splunk Cloud distributed Search Head and Indexers cluster environment.
Auto Update MaxMind Database App.
iplocationcommand), in that case the new MaxMind DB updated by the App will be used and then user would have better chance of getting accurate information.
Another note to consider is that there are mutliple IP location database out there, they usually differ in location slightly anyways.
So, for Splunk Cloud customers (Victoria Experience) it improves the accuracy without manual intervention.
Most Accurate Solution for Splunk Cloud customers would be to update the MaxMind Database manually regularly with below steps (But most customers don't want to perform manual steps daily. It does not sound feasible for most customers.):
GeoIP lookups file.
Provided support for search head cluster and resolve cloud app-inspect issue.
(Now the App updates MaxMind DB with scripted input that runs on all Search Heads in Search Head Cluster instead of scheduled search which executes only on one SH.)
Added app.manifest file for Splunk-cloud.
Changes to make compatible with the latest Splunk AppInspect - Dashboards version changed to 1.1.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.