MapIt doesn't map it

benefitcos · ‎11-08-2013

Hello,

Have installed AMMap and Maxmind per instructions here and in documentation. Using this formula:

sourcetype="Sites*" Preview fromHost!="'10.*'" | rex
"'(?<fromHost>\d+.\d+.\d+.\d+)'"|  stats count by fromHost | head  100 | eval
count_label="Login" |
eval iterator="fromHost" | eval iterator_label="IP" | eval
movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval
app="amMap" | lookup geoip clientip as fromHost

I'm able to generate results (which I can't post without enough 'karma', but trust me, I'm seeing cities, countries, lat, long, region, etc..)

However, when I use the | mapit command, all of a sudden 'no events were found'. When I run a check of the Splunk logs there are entries which coincides with each | mapit request:

Fri Nov 08 11:31:03 2013 - ERROR - Traceback:Traceback (most recent call last):
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 180, in run
    result_dict_list = get_results()
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 41, in get_results
    if results[0].has_key("app"):
IndexError: list index out of range

Any ideas on what might be happening? Appreciate any tips!

MuS · ‎10-07-2014

Hi benefitcos,

Just had the same problem today, when implementing the amMaps at a costumer which does not allow Internet access from the Splunk search head, so I had to setup amMap. The error was exactly the same and after checking the code, I realized that the there was some field missing in the stats, so including the field in the stats solved this.

Also be aware that you can use mapit in a HiddenPostProcess but you must use the the stats and all the eval commands in the HiddenPostProcess otherwise it will not work.

hope this helps ...

cheers, MuS

moneybox · ‎01-14-2014

hi , i'm having the same issue.
if someone can help it would be great.

Thanks!

MapIt doesn't map it

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!