Update the geo information used by Splunk iplocation.


iplocation allows you to obtain location information from the IP address to which you are connecting. This is a very useful feature because it allows you to use the location information and display the results on a map. However, the location information will become outdated if it is not updated periodically after installation. It is updated at the time of upgrade, but the upgrade process is not performed so often.

If you had created a dashboard that checks AWS console access in your company, Employees living in Tokyo ended up in the Tochigi area. スクリーンショット 0002-12-02 午前10.48.53.png Now that I'm basically working from home, I thought I'd use Goto to work remotely. So, when I checked, it seems that you are in Tokyo, so I decided to update it because the data is old.

In fact, the location information data can be updated manually. The steps are listed below. https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Iplocation

Splunk uses the Maxmind Geolocation database. Download the GeoLite2-City.mmdb file from the link above, and then click Just replace the file in $SPLUNK_HOME/share/.

* If you use the paid version, it will be possible to download and replace it regularly. Here is the result of replacing it with . スクリーンショット 0002-12-02 午前10.48.59.png I came back safely to Tokyo (laughs)!

If you think that the position you are displaying is strange, please consider replacing this file.

Happy Splunking!

Supplement: (*Added on 2020/12/10) As a precaution, if you update the files that are provided by the system during installation, the file integrity check will fail after the service is restarted. If it is an error in the updated file, you can safely ignore this error. By upgrading to the normal version, the manifest file containing the checksum value of these files and the file containing the geo information are also updated, so there will be no consistency error.

Updated on December 10, 2020