All Apps and Add-ons

MapIt doesn't map it

Explorer

Hello,

Have installed AMMap and Maxmind per instructions here and in documentation. Using this formula:

sourcetype="Sites*" Preview fromHost!="'10.*'" | rex
"'(?<fromHost>\d+.\d+.\d+.\d+)'"|  stats count by fromHost | head  100 | eval
count_label="Login" |
eval iterator="fromHost" | eval iterator_label="IP" | eval
movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval
app="amMap" | lookup geoip clientip as fromHost

I'm able to generate results (which I can't post without enough 'karma', but trust me, I'm seeing cities, countries, lat, long, region, etc..)

However, when I use the | mapit command, all of a sudden 'no events were found'. When I run a check of the Splunk logs there are entries which coincides with each | mapit request:

Fri Nov 08 11:31:03 2013 - ERROR - Traceback:Traceback (most recent call last):
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 180, in run
    result_dict_list = get_results()
  File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 41, in get_results
    if results[0].has_key("app"):
IndexError: list index out of range

Any ideas on what might be happening? Appreciate any tips!

0 Karma

SplunkTrust
SplunkTrust

Hi benefitcos,

Just had the same problem today, when implementing the amMaps at a costumer which does not allow Internet access from the Splunk search head, so I had to setup amMap. The error was exactly the same and after checking the code, I realized that the there was some field missing in the stats, so including the field in the stats solved this.

Also be aware that you can use mapit in a HiddenPostProcess but you must use the the stats and all the eval commands in the HiddenPostProcess otherwise it will not work.

hope this helps ...

cheers, MuS

Explorer

hi , i'm having the same issue.
if someone can help it would be great.

Thanks!

0 Karma