All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

MapIt doesn't map it

benefitcos
Explorer
‎11-08-2013 11:35 AM

Hello,

Have installed AMMap and Maxmind per instructions here and in documentation. Using this formula:

sourcetype="Sites*" Preview fromHost!="'10.*'" | rex
"'(?<fromHost>\d+.\d+.\d+.\d+)'"|  stats count by fromHost | head  100 | eval
count_label="Login" |
eval iterator="fromHost" | eval iterator_label="IP" | eval
movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval
app="amMap" | lookup geoip clientip as fromHost

I'm able to generate results (which I can't post without enough 'karma', but trust me, I'm seeing cities, countries, lat, long, region, etc..)

However, when I use the | mapit command, all of a sudden 'no events were found'. When I run a check of the Splunk logs there are entries which coincides with each | mapit request:

Fri Nov 08 11:31:03 2013 - ERROR - Traceback:Traceback (most recent call last):
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 180, in run
    result_dict_list = get_results()
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 41, in get_results
    if results[0].has_key("app"):
IndexError: list index out of range

Any ideas on what might be happening? Appreciate any tips!

0 Karma
Reply

MuS
Legend
‎10-07-2014 12:52 PM

Hi benefitcos,

Just had the same problem today, when implementing the amMaps at a costumer which does not allow Internet access from the Splunk search head, so I had to setup amMap. The error was exactly the same and after checking the code, I realized that the there was some field missing in the stats, so including the field in the stats solved this.

Also be aware that you can use mapit in a HiddenPostProcess but you must use the the stats and all the eval commands in the HiddenPostProcess otherwise it will not work.

hope this helps ...

cheers, MuS

Reply

moneybox
Explorer
‎01-14-2014 03:17 AM

hi , i'm having the same issue.
if someone can help it would be great.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...