Splunk: Automatically update GeoIP database across environment

Information for this post was inspired by this post.

Edit: Also see George Starcher’s implementation.

On every Splunk upgrade, they also push out a GeoIP database found here. Instead of waiting, I wanted to automate the pull on search heads. The following is how you can set up the same in your environment.

Create app structure on Deployment Server

/opt/splunk/etc/deployment-apps/Splunk_geoip/
    bin
        get_maxmind_db.sh
    default
        inputs.conf
        limits.conf

get_maxmind_db.sh

This will download and extract the database, as well as set the correct permissions on it.

#!/bin/bash

 # Author: Andrew Wurster
 # Date: 13 Jan 2015

cd /opt/splunk/etc/apps/Splunk_geoip/bin

wget -O GeoLite2-City-Latest.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
gunzip -f GeoLite2-City-Latest.mmdb.gz
chmod 644 GeoLite2-City-Latest.mmdb

inputs.conf

This will automatically download the database at 11pm on the first Tuesday of every month.

[script:///opt/splunk/etc/apps/Splunk_geoip/bin/get_maxmind_db.sh]
index = main
interval = 0 23 1-7 * 2
sourcetype = splunk_geoip
disabled = false

limits.conf

This will redirect the default location of the GeoIP database to your app’s directory

[iplocation]
db_path = /opt/splunk/etc/apps/Splunk_geoip/bin/GeoLite2-City-Latest.mmdb

TODO: If you push this app out, it’ll work. However, when it first gets pushed out, it won’t download anything. You could specify another input that runs once and calls the script, however I just manually ran the shell script once. All subsequent times will be automatic.

 
32
Kudos
 
32
Kudos

Now read this

Getting Ubuntu 12.04 LTS, Django, and Heroku to all play nicely together

Personally, I used VMWare Workstation 8 to host my Ubuntu machine, so I will include some instructions for that as well. Part 1: Setup Open: C:\ProgramData\VMware\VMware Workstation\config.ini (Windows 7) Add the following:... Continue →