All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

MapIt doesn't map it

benefitcos
Explorer
‎11-08-2013 11:35 AM

Hello,

Have installed AMMap and Maxmind per instructions here and in documentation. Using this formula:

sourcetype="Sites*" Preview fromHost!="'10.*'" | rex
"'(?<fromHost>\d+.\d+.\d+.\d+)'"|  stats count by fromHost | head  100 | eval
count_label="Login" |
eval iterator="fromHost" | eval iterator_label="IP" | eval
movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval
app="amMap" | lookup geoip clientip as fromHost

I'm able to generate results (which I can't post without enough 'karma', but trust me, I'm seeing cities, countries, lat, long, region, etc..)

However, when I use the | mapit command, all of a sudden 'no events were found'. When I run a check of the Splunk logs there are entries which coincides with each | mapit request:

Fri Nov 08 11:31:03 2013 - ERROR - Traceback:Traceback (most recent call last):
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 180, in run
    result_dict_list = get_results()
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 41, in get_results
    if results[0].has_key("app"):
IndexError: list index out of range

Any ideas on what might be happening? Appreciate any tips!

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-07-2014 12:52 PM

Hi benefitcos,

Just had the same problem today, when implementing the amMaps at a costumer which does not allow Internet access from the Splunk search head, so I had to setup amMap. The error was exactly the same and after checking the code, I realized that the there was some field missing in the stats, so including the field in the stats solved this.

Also be aware that you can use mapit in a HiddenPostProcess but you must use the the stats and all the eval commands in the HiddenPostProcess otherwise it will not work.

hope this helps ...

cheers, MuS

Reply

moneybox
Explorer
‎01-14-2014 03:17 AM

hi , i'm having the same issue.
if someone can help it would be great.

Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...