MaxMind GeoIP2 offerings provide IP geolocation and proxy detection for a wide range of applications including content customization, advertising, digital rights management, compliance, fraud detection, and security.
This Splunk technology add-on provides a custom search commmand (geoip) to query MaxMind GeoIP2 databases for IP address enrichment.
- Splunk Enterprise version 8.0 or later, with Python 3.7. Splunk Enterprise version 7.x is not supported.
- Access to one or more of the MaxMind GeoIP2 databases:
- City: GeoIP2-City.mmdb / GeoLite2-City.mmdb
- Anonymous IP (Proxy Detection): GeoIP2-Anonymous-IP.mmdb
- ISP: GeoIP2-ISP.mmdb
- Connection Type: GeoIP2-Connection-Type.mmdb
- Domain: GeoIP2-Domain.mmdb
- ASN: GeoLite2-ASN.mmdb
MaxMind provides free versions of some of their databases (GeoLite2), found here.
The geoip command is a distributable streaming command (see Command types). The replication settings within distsearch.conf will allow the command to run on indexers.
- Install this TA under
$SPLUNK_HOME/etc/apps. - Copy any available MaxMind GeoIP2 databases to
$SPLUNK_HOME/etc/apps/TA-geoip2/data/databases/.
See usage for detailed usage instructions.
Syntax: geoip [prefix=<string>] [fillnull=<string>] [field=<ip-address-fieldname>] <geoip-databases>
Where <geoip-datebases> is one or more of: anonymous_ip, asn, city, connection_type, domain, isp, or all.
This will include fields from the requested databases, as defined in the databases documentation.
None.
More details about the GeoIP2 Databases can be found on the MaxMind website.