The feature is is implemented as a external lookup not a command. To utilize the lookup the macro back ticks are needed. I realized finally that the MarkDown syntax on the documentation page was consuming the ticks making the documentation render incorrectly I found a way to no have that happen now so the documentation is now correct.
@rfaircloth: As explained in one of your earlier posts, I used the back tick ` when executing the command. I used exactly the spl from the documentation and tried also many other options - still the same error. However, I just realized the error message comes from the splunk indexer (search head and indexer are on different servers). Do I have to install the app also on the indexer or adapt some configuration? Many thanks.
I apologize when I read your question I did not understand the error. Can you send me the search.log file from the SH and one indexer?
Also list the mmdb files in the app directory
I could solve the problem - it works now! The problem was the missing GeoLite mmdb in the data folder of the app. It seems to be that some information (e.g. city, country etc.) comes from this database and I only had the GeoIP mmdb for getting further details (e.g. ISP etc.).
I am getting the same error (Script for lookup table 'SecKitIPLocation' returned error code 1)? How did you solve the problem?
The python script is located here:/opt/splunk/etc/apps/SecKit_SA_geolocation/bin
and the corresponding Maxmind Data here: /opt/splunk/etc/apps/SecKit_SA_geolocation/data
Any suggestions are welcome.
Thanks, it's finding the command now, but now i run into this error
 Script for lookup table 'SecKitIPLocation' returned error code 1. Results may be incorrect.
any suggestions on how to debug?
Here are the maxmind files I have in the data directory
-rw-r--r-- 1 splunk splunk 27386100 Feb 15 23:02 GeoIP2-ISP.mmdb
-rw-r--r-- 1 splunk splunk 96409528 Feb 15 23:06 GeoIP2-City.mmdb
-rw-r--r-- 1 splunk splunk 2525314 Feb 15 23:07 GeoIP2-Country.mmdb
Do I need more?
This app is not implemented as a search command, we are using external lookup, I provided a macro which requires the back tick
index=* sourcetype=mylogs earliest=-1h | `seckit_iplocation(ip)`