All Apps and Add-ons

Google Maps - geoip error

Kate_Lawrence-G
Contributor

I've installed the Google Maps app on my search head but when try to run a search:

sourcetype="stuff" remote_ip=* | geoip remote_ip

I get the following error:

Error in 'script': Getinfo probe failed for external search command 'geoip'

   Traceback (most recent call last):
      File "/opt/splunk/etc/apps/maps/appserver/modules/GoogleMaps/GoogleMaps.py", line 53, in generateResults
        for result in getattr(job, entity_name)[offset:end]:
      File "/opt/splunk/lib/python2.6/site-packages/splunk/search/__init__.py", line 1219, in __getitem__
        self.job.pushValidation()
      File "/opt/splunk/lib/python2.6/site-packages/splunk/search/__init__.py", line 590, in pushValidation
        raise splunk.SearchException, fatality
    SearchException: Error in 'script': Getinfo probe failed for external search command 'geoip'

I installed the MAXMIND app as well but the result is the same.
I've restarted splunk but that has not resolved the issue either.

Thanks,

yannK
Splunk Employee
Splunk Employee

There were a bug in the app for distributed searches, fixed in 1.1.3
see http://apps.splunk.com/app/368/

Or install the app on all the search-peers.

asmall
Explorer

Try:

sourcetype="stuff" remote_ip=* | stats count by remote_ip | geoip remote_ip

Kate_Lawrence-G
Contributor

Hi,
Have you checked if the app is enabled at the indexer and is listed in the etc/apps directory after it replicates the bundle over from the search head?

You can check that status of installed apps with ./splunk display app. If it is disabled you can enable it by ./splunk enable app

If you are running deployment server you could also just roll it out that way.

@Kate

0 Karma

paranoid
Explorer

I've just installed the Google Maps app on my search and seen the bundles distributed to my indexers. Unfortunately I get: "Streamed search execute failed because: Error in 'script': Getinfo probe failed for external search command 'geoip'"

however if I manually install the app on the indexers (and restart) it does work. Would be much nicer if it just worked so I don't have to manually update N indexers. Any ideas how to debug or fix this?

0 Karma

Kate_Lawrence-G
Contributor

Thanks Dave but i did have some luck with the lookup geoip command instead. It's producing results now, but I will keep that in mind my production system is distributed but 4.1.6 across the board.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Hey Kate,

I was working with 4.2.3 with a distributed deployment. You may want to try an older version. I believe the current version was released to address compatibility issues with 4.2.

Dave

0 Karma

Kate_Lawrence-G
Contributor

Hi Dave,
Yes I'm actually testing it out on a standalone search head+indexer (my cloud sandbox) and am receiving the same error.
What version of Splunk are you running? I'm on 4.1.6 and wondering if there is some incompatibility?

Thanks,

Kate

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Hey Kate,

I ran into the same problem recently. Do you have the Google Maps app installed on your indexer as well as the search head?

Dave

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...