Splunk: Automatically update GeoIP database across environment

Information for this post was inspired by this post.

Edit: Also see George Starcher’s implementation.

On every Splunk upgrade, they also push out a GeoIP database found here. Instead of waiting, I wanted to automate the pull on search heads. The following is how you can set up the same in your environment.

Create app structure on Deployment Server

/opt/splunk/etc/deployment-apps/Splunk_geoip/
    bin
        get_maxmind_db.sh
    default
        inputs.conf
        limits.conf

get_maxmind_db.sh

This will download and extract the database, as well as set the correct permissions on it.

#!/bin/bash

 # Author: Andrew Wurster
 # Date: 13 Jan 2015

cd /opt/splunk/etc/apps/Splunk_geoip/bin

wget -O GeoLite2-City-Latest.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
gunzip -f GeoLite2-City-Latest.mmdb.gz
chmod 644 GeoLite2-City-Latest.mmdb

inputs.conf

This will automatically download the database at 11pm on the first Tuesday of every month.

[script:///opt/splunk/etc/apps/Splunk_geoip/bin/get_maxmind_db.sh]
index = main
interval = 0 23 1-7 * 2
sourcetype = splunk_geoip
disabled = false

limits.conf

This will redirect the default location of the GeoIP database to your app’s directory

[iplocation]
db_path = /opt/splunk/etc/apps/Splunk_geoip/bin/GeoLite2-City-Latest.mmdb

TODO: If you push this app out, it’ll work. However, when it first gets pushed out, it won’t download anything. You could specify another input that runs once and calls the script, however I just manually ran the shell script once. All subsequent times will be automatic.

 
31
Kudos
 
31
Kudos

Now read this

RetroPie: Raspberry Pie Retro Gaming Setup

What I’m going to show you how to configure Raspberry Pi running the Raspbian OS Boot into emulationstation, a GUI frontend to RetroArch allowing you to select any emulators’ games Use of xboxdrv to use an xbox controller to play with... Continue →