Closed DVRusak closed 6 months ago
If you look in the WinMerge program, the differences are in two memes in one line
The official MMDB is also written with this library. Does Splunk provide a particular error?
There may be some additional information in the logs, but you need to know where to look
The error in the screenshot occurs if the raw mmdb is replaced in the Splunk files with a custom version.
Accordingly, if the replacement is made through the web console, then Splunk will not allow you to download this file
The problem was solved after manually replacing the string element " w" with "Ben" (marked in yellow in the last screenshot)
Moreover, if you use lookups in python and go languages, then there will be no difference in the metadata when reading. But in the hex editor the difference is visible, and not only in build_epoch.
Apparently Splunk cannot read the slightly different mmdb metadata structure.
I am guessing the issue is that Splunk is using an old version of libmaxminddb
that does not correctly handle pointers in the metadata. You can disable these with the DisableMetadataPointers
option.
In general, the situation is this: I use mmdb to determine the ip location in traffic in Splunk using the module | iplocation.
When you load a regular mmdb without changes, it loads well.
When you load an mmdb file processed by the library, it’s a completely different bad outcome.
Those. In general, I simply took and rewrote mmdb without making changes, and still Splunk did not want to accept it.
Question: what does the library do that makes Splunk stop accepting the file??? (If you look at the metadata, only build_epoch changes. The file size does not change.)
Code for just rewrite mmdb: package main
import ( "log" "os"
)
func main() {
}