Splunk: Automatically update GeoIP database across environment

Information for this post was inspired by this post.

Edit: Also see George Starcher’s implementation.

On every Splunk upgrade, they also push out a GeoIP database found here. Instead of waiting, I wanted to automate the pull on search heads. The following is how you can set up the same in your environment.

Create app structure on Deployment Server



This will download and extract the database, as well as set the correct permissions on it.


 # Author: Andrew Wurster
 # Date: 13 Jan 2015

cd /opt/splunk/etc/apps/Splunk_geoip/bin

wget -O GeoLite2-City-Latest.mmdb.gz http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.mmdb.gz || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
gunzip -f GeoLite2-City-Latest.mmdb.gz
chmod 644 GeoLite2-City-Latest.mmdb


This will automatically download the database at 11pm on the first Tuesday of every month.

index = main
interval = 0 23 1-7 * 2
sourcetype = splunk_geoip
disabled = false


This will redirect the default location of the GeoIP database to your app’s directory

db_path = /opt/splunk/etc/apps/Splunk_geoip/bin/GeoLite2-City-Latest.mmdb

TODO: If you push this app out, it’ll work. However, when it first gets pushed out, it won’t download anything. You could specify another input that runs once and calls the script, however I just manually ran the shell script once. All subsequent times will be automatic.


Now read this

Getting Ubuntu 12.04 LTS, Django, and Heroku to all play nicely together

Personally, I used VMWare Workstation 8 to host my Ubuntu machine, so I will include some instructions for that as well. Part 1: Setup Open: C:\ProgramData\VMware\VMware Workstation\config.ini (Windows 7) Add the following:... Continue →