I see the Maxmind GeoLite2 database has it, but I don't think the GeoIP function does it?

Try to download the GeoLite2-ASN.mmdb file

It seems like it contains the correct info. See screenshot

Based on the Cribl docs, I just see a reference to mmdbhttps://docs.cribl.io/stream/geoip-function

Is the mmdb or csv preferred?

Correct, I have two options for ASN data with maxmind: CSV or MMDB, does Cribl have any testing on which one could be quicker?

I can only suspect the difference is minor .. in both cases the lookup will be loaded to the worker processes memory, so it should be fast regardless

Thanks!