https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84581#M21561 <P>Nope... not using distributed search.</P> Thu, 23 May 2013 21:09:53 GMT responsys_cm 2013-05-23T21:09:53Z https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84579#M21559 <P>I'm trying to use the geoip external lookup script, the one that uses the MAXMIND database.</P> <P>When I run my search, I get the "Script for lookup table 'geoip' returned error code 1. Results may be incorrect."</P> <P>The search is:</P> <P>sourcetype=logentry action=login NOT accountname=SysAdmin NOT accountname=ops* NOT username=SYS* NOT src_ip=NULL NOT src_ip=10.* | stats count by accountname,src_ip,username | lookup geoip clientip AS src_ip OUTPUT client_country client_org </P> <P>I get the same error if I remove the stats command from the pipeline. I can pipe that to something like | search NOT client_country=* to try and find the first result that had a failed lookup. But if I then narrow the initial search to capture that event, it will do the resolution fine.</P> <P>How can I troubleshoot this? We have a fair number of scheduled searches that do geoip lookups. What happens if two searches try and execute that python script at the same time? It seems to me that the problem happens when the volume of events in the search results are high rather than some kind of bad data screwing up the script.</P> <P>I'm on Splunk 4.3.2, build 123586. </P> <P>Thx.</P> <P>C</P> Mon, 28 Sep 2020 11:59:32 GMT https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84579#M21559 responsys_cm 2020-09-28T11:59:32Z https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84580#M21560 <P>It sounds like you are using distributed search. It seems that the app needs to be installed on all the indexers as well. Please also reference the following link: <A href="http://splunk-base.splunk.com/answers/75598/google-maps-where-to-install">http://splunk-base.splunk.com/answers/75598/google-maps-where-to-install</A></P> Thu, 23 May 2013 20:26:29 GMT https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84580#M21560 mlulmer 2013-05-23T20:26:29Z https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84581#M21561 <P>Nope... not using distributed search.</P> Thu, 23 May 2013 21:09:53 GMT https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84581#M21561 responsys_cm 2013-05-23T21:09:53Z https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84582#M21562 <P>what happens if you run</P> <P>sourcetype=logentry action=login NOT accountname=SysAdmin NOT accountname=ops NOT username=SYS NOT src_ip=NULL NOT src_ip=10.* | stats count by accountname,src_ip,username | lookup local=true geoip clientip AS src_ip OUTPUT client_country client_org</P> Mon, 28 Sep 2020 13:58:12 GMT https://community.splunk.com/t5/Splunk-Search/geoip-lookup-script-fails-with-error-code-1/m-p/84582#M21562 cramasta 2020-09-28T13:58:12Z