SecKit for geolocation with Maxmind: Why am I gett...

ebailey · ‎02-15-2016

I am getting unknown command. I exported the app globally so I do not think this a permissions issue.

rfaircloth_splu · ‎02-26-2016

The feature is is implemented as a external lookup not a command. To utilize the lookup the macro back ticks are needed. I realized finally that the MarkDown syntax on the documentation page was consuming the ticks making the documentation render incorrectly I found a way to no have that happen now so the documentation is now correct.
https://splunkbase.splunk.com/app/3022/#/documentation

rfaircloth_splu · ‎06-16-2016

Per the documentation this is a macro not a command you must as with any search macro use the back tick ` please copy and paste spl from the documentation.

gmenghini · ‎06-16-2016

@rfaircloth: As explained in one of your earlier posts, I used the back tick ` when executing the command. I used exactly the spl from the documentation and tried also many other options - still the same error. However, I just realized the error message comes from the splunk indexer (search head and indexer are on different servers). Do I have to install the app also on the indexer or adapt some configuration? Many thanks.

rfaircloth_splu · ‎06-17-2016

I apologize when I read your question I did not understand the error. Can you send me the search.log file from the SH and one indexer?
Also list the mmdb files in the app directory

gmenghini · ‎06-19-2016

I could solve the problem - it works now! The problem was the missing GeoLite mmdb in the data folder of the app. It seems to be that some information (e.g. city, country etc.) comes from this database and I only had the GeoIP mmdb for getting further details (e.g. ISP etc.).

gmenghini · ‎06-16-2016

I am getting the same error (Script for lookup table 'SecKitIPLocation' returned error code 1)? How did you solve the problem?

The python script is located here:/opt/splunk/etc/apps/SecKit_SA_geolocation/bin
and the corresponding Maxmind Data here: /opt/splunk/etc/apps/SecKit_SA_geolocation/data

Any suggestions are welcome.

Thanks.

axin · ‎02-26-2016

Thanks, it's finding the command now, but now i run into this error

[] Script for lookup table 'SecKitIPLocation' returned error code 1. Results may be incorrect.

any suggestions on how to debug?

rfaircloth_splu · ‎02-26-2016

verify the max mind files you are licensed for downloaded into the data folder.

ebailey · ‎03-10-2016

Here are the maxmind files I have in the data directory

-rw-r--r-- 1 splunk splunk 27386100 Feb 15 23:02 GeoIP2-ISP.mmdb
-rw-r--r-- 1 splunk splunk 96409528 Feb 15 23:06 GeoIP2-City.mmdb
-rw-r--r-- 1 splunk splunk 2525314 Feb 15 23:07 GeoIP2-Country.mmdb

Do I need more?

rfaircloth_splu · ‎03-11-2016

Just wanted to check did you get past this, if not send me a private message I can webex with you

rfaircloth_splu · ‎02-20-2016

Wanted to follow up feel free to email me or direct message I can help you get this working

ebailey · ‎03-10-2016

@rfaircloth Thanks for creating this tool - it is very helpful.

axin · ‎02-26-2016

Getting the same error on splunk 6.3.3

Search:
index=* sourcetype=mylogs earliest=-1h | seckit_iplocation(ip)

"Unknown search command 'seckit'. "

rfaircloth_splu · ‎03-11-2016

This app is not implemented as a search command, we are using external lookup, I provided a macro which requires the back tick

index=* sourcetype=mylogs earliest=-1h | `seckit_iplocation(ip)`

rfaircloth_splu · ‎02-16-2016

ebaiey can you copy and paste the search you attempted to run. This app does not have an external command I used external lookup for performance reasons.

SecKit for geolocation with Maxmind: Why am I getting error "unknown command"?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?