Code For Food

Tag: splunk

  • Update maxmind geoip database for iplocation splunk command

    If you are using outdated maxmind db in your splunk version, you will see some of the location is not right for a few IPs. Follow these steps to update the maxmind GeoLite2-City db file:

    1. You can go to this site, http://dev.maxmind.com/geoip/geoip2/geolite2/
    2. Download GeoLite2-City.mmdb
    3. Replace it with $SPLUNK_HOME/share/GeoLite2-City.mmdb, usually at /opt/splunk/share in any Linux host
    4. Don’t need to restart splunk, run new query in splunk and the db will be refreshed itself.

  • Splunk max min avg group by date

    Data:
    _time Value
    11/24/13 10:00:00 8
    11/25/13 10:01:00 6
    11/26/13 10:02:00 4

    Query:
    … | rename _time as Date | convert timeformat=”%F” ctime(Date) | stats max(Value) as Max, min(Value) as Min, avg(Value) as Avg by Date