Have installed AMMap and Maxmind per instructions here and in documentation. Using this formula:
sourcetype="Sites*" Preview fromHost!="'10.*'" | rex "'(?<fromHost>\d+.\d+.\d+.\d+)'"| stats count by fromHost | head 100 | eval count_label="Login" | eval iterator="fromHost" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="amMap" | lookup geoip clientip as fromHost
I'm able to generate results (which I can't post without enough 'karma', but trust me, I'm seeing cities, countries, lat, long, region, etc..)
However, when I use the | mapit command, all of a sudden 'no events were found'. When I run a check of the Splunk logs there are entries which coincides with each | mapit request:
Fri Nov 08 11:31:03 2013 - ERROR - Traceback:Traceback (most recent call last): File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 180, in run result_dict_list = get_results() File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 41, in get_results if results.has_key("app"): IndexError: list index out of range
Any ideas on what might be happening? Appreciate any tips!
Just had the same problem today, when implementing the amMaps at a costumer which does not allow Internet access from the Splunk search head, so I had to setup amMap. The error was exactly the same and after checking the code, I realized that the there was some field missing in the
stats, so including the field in the
stats solved this.
Also be aware that you can use
mapit in a
HiddenPostProcess but you must use the the
stats and all the
eval commands in the
HiddenPostProcess otherwise it will not work.
hope this helps ...