topic Re: * | geoip clientip returns error. HELP HELP! ___ in Security

* | geoip clientip returns error. HELP HELP! ___

hunterppp — Sat, 11 Dec 2010 05:00:32 GMT

I did * | geoip clientip

yet I get an error:

"External search command 'geoip' returned error code 1. First 1000 (of 9218) bytes of script output:" followed by the script output.

A screenshot is here:

http://tinypic.com/r/2hnb1cp/7

Re: * | geoip clientip returns error. HELP HELP! ___

ftk — Sat, 11 Dec 2010 05:04:44 GMT

You can do:

* | geoip clientip

This will pipe all events in the index into the geoip tool.

Re: * | geoip clientip returns error. HELP HELP! ___

hunterppp — Sat, 11 Dec 2010 06:31:43 GMT

@ftk I've updated the question with an error, any help?

Re: * | geoip clientip returns error. HELP HELP! ___

ftk — Mon, 13 Dec 2010 21:37:04 GMT

Hmm. I don't think that screenshot tells us much as to what the error is. There should be a python.log in $SPLUNK_HOME/var/log/splunk/ That should have the full error message.

Re: * | geoip clientip returns error. HELP HELP! ___

jrodman — Thu, 16 Dec 2010 02:25:24 GMT

Looks like you're getting an exception that splunk doesn't know how to parse. The main thing is it's returning failure (a nonzero exit code). You may want to capture from inside the script how it's being invoked and run it independently to investigate.