All Apps and Add-ons

SecKit for geolocation with Maxmind: Why am I getting error "unknown command"?

ebailey
Communicator

I am getting unknown command. I exported the app globally so I do not think this a permissions issue.

rfaircloth_splu
Splunk Employee
Splunk Employee

The feature is is implemented as a external lookup not a command. To utilize the lookup the macro back ticks are needed. I realized finally that the MarkDown syntax on the documentation page was consuming the ticks making the documentation render incorrectly I found a way to no have that happen now so the documentation is now correct.
https://splunkbase.splunk.com/app/3022/#/documentation

rfaircloth_splu
Splunk Employee
Splunk Employee

Per the documentation this is a macro not a command you must as with any search macro use the back tick ` please copy and paste spl from the documentation.

0 Karma

gmenghini
New Member

@rfaircloth: As explained in one of your earlier posts, I used the back tick ` when executing the command. I used exactly the spl from the documentation and tried also many other options - still the same error. However, I just realized the error message comes from the splunk indexer (search head and indexer are on different servers). Do I have to install the app also on the indexer or adapt some configuration? Many thanks.

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

I apologize when I read your question I did not understand the error. Can you send me the search.log file from the SH and one indexer?
Also list the mmdb files in the app directory

0 Karma

gmenghini
New Member

I could solve the problem - it works now! The problem was the missing GeoLite mmdb in the data folder of the app. It seems to be that some information (e.g. city, country etc.) comes from this database and I only had the GeoIP mmdb for getting further details (e.g. ISP etc.).

0 Karma

gmenghini
New Member

I am getting the same error (Script for lookup table 'SecKitIPLocation' returned error code 1)? How did you solve the problem?

The python script is located here:/opt/splunk/etc/apps/SecKit_SA_geolocation/bin
and the corresponding Maxmind Data here: /opt/splunk/etc/apps/SecKit_SA_geolocation/data

Any suggestions are welcome.

Thanks.

0 Karma

axin
New Member

Thanks, it's finding the command now, but now i run into this error

[] Script for lookup table 'SecKitIPLocation' returned error code 1. Results may be incorrect.

any suggestions on how to debug?

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

verify the max mind files you are licensed for downloaded into the data folder.

0 Karma

ebailey
Communicator

Here are the maxmind files I have in the data directory

-rw-r--r-- 1 splunk splunk 27386100 Feb 15 23:02 GeoIP2-ISP.mmdb
-rw-r--r-- 1 splunk splunk 96409528 Feb 15 23:06 GeoIP2-City.mmdb
-rw-r--r-- 1 splunk splunk 2525314 Feb 15 23:07 GeoIP2-Country.mmdb

Do I need more?

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

Just wanted to check did you get past this, if not send me a private message I can webex with you

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

Wanted to follow up feel free to email me or direct message I can help you get this working

0 Karma

ebailey
Communicator

@rfaircloth Thanks for creating this tool - it is very helpful.

0 Karma

axin
New Member

Getting the same error on splunk 6.3.3

Search:
index=* sourcetype=mylogs earliest=-1h | seckit_iplocation(ip)

"Unknown search command 'seckit'. "

0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

This app is not implemented as a search command, we are using external lookup, I provided a macro which requires the back tick

index=* sourcetype=mylogs earliest=-1h | `seckit_iplocation(ip)`
0 Karma

rfaircloth_splu
Splunk Employee
Splunk Employee

ebaiey can you copy and paste the search you attempted to run. This app does not have an external command I used external lookup for performance reasons.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...