I've installed the Google Maps app on my search head but when try to run a search:
sourcetype="stuff" remoteip=* | geoip remoteip
I get the following error:
Error in 'script': Getinfo probe failed for external search command 'geoip'
Traceback (most recent call last): File "/opt/splunk/etc/apps/maps/appserver/modules/GoogleMaps/GoogleMaps.py", line 53, in generateResults for result in getattr(job, entity_name)[offset:end]: File "/opt/splunk/lib/python2.6/site-packages/splunk/search/__init__.py", line 1219, in __getitem__ self.job.pushValidation() File "/opt/splunk/lib/python2.6/site-packages/splunk/search/__init__.py", line 590, in pushValidation raise splunk.SearchException, fatality SearchException: Error in 'script': Getinfo probe failed for external search command 'geoip'
I installed the MAXMIND app as well but the result is the same.
I've restarted splunk but that has not resolved the issue either.
Yes I'm actually testing it out on a standalone search head+indexer (my cloud sandbox) and am receiving the same error.
What version of Splunk are you running? I'm on 4.1.6 and wondering if there is some incompatibility?
I was working with 4.2.3 with a distributed deployment. You may want to try an older version. I believe the current version was released to address compatibility issues with 4.2.
Thanks Dave but i did have some luck with the lookup geoip command instead. It's producing results now, but I will keep that in mind my production system is distributed but 4.1.6 across the board.
I've just installed the Google Maps app on my search and seen the bundles distributed to my indexers. Unfortunately I get: "Streamed search execute failed because: Error in 'script': Getinfo probe failed for external search command 'geoip'"
however if I manually install the app on the indexers (and restart) it does work. Would be much nicer if it just worked so I don't have to manually update N indexers. Any ideas how to debug or fix this?
Have you checked if the app is enabled at the indexer and is listed in the etc/apps directory after it replicates the bundle over from the search head?
You can check that status of installed apps with
./splunk display app. If it is disabled you can enable it by ./splunk enable app
If you are running deployment server you could also just roll it out that way.