If you are using the GeoIP app for Splunk you will find that it has not been updated recently. The last update was June 2011. Following my recent post regarding the installation of Splunk on an Ubuntu based system I started to dig into this app and found that it is a simple matter to update the MaxMind GeoIP Lite database to the latest version.
Head over to the MaxMind website and grab the latest version of the GeoLiteCity.dat.gz file.
Download: http://dev.maxmind.com/geoip/geolite
Now uncompress the download with gzip.
gzip -d GeoLiteCity.dat.gz
If you take a look in /opt/splunk/etc/apps/maps/bin/ of your Splunk install you will see the version of the GeoLiteCity.dat file is August 20, 2011. Time to update it to the latest version.
cp GeoLiteCity.dat /opt/splunk/etc/apps/maps/bin/
Start searching Splunk with the latest GeoIP data from MaxMind. It really is that easy. 🙂