Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- _geo field will not display - need it for google m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_geo field will not display - need it for google maps
More info....
I am now getting...
Script for lookup table 'geoip' returned error code 1. Results may be incorrect. (this message is repeated for each of my indexers.
Maybe I am doing something wrong???
I am trying to use the google maps application. According to the documentation I need a field called _geo that includes lat and lon, so I use the following to create this field:
eval _geo=client_lat.",".client_lon
The field is not created, but if I use:
eval geo=client_lat.",".client_lon, I get the field?
Not sure what I am doing wrong here?
Some clarrification...
I changed the search to this....
index=mail | lookup geoip clientip as srcip | eval geo=client_lat+","+client_lon | search client_country="Spain" | table geo
I am getting results such as....
37.3379,-5.8395
But the google map does not have any data/plots????
debug info:
DEBUG: Incompatible set of indexes specified
DEBUG: No matching index found for 'index=mail'
DEBUG: [indexer16] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer17] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer21] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer22] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer23] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer24] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer25] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer26] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: base lispy: [ AND index::mail ]
DEBUG: search context: user="admin", app="maps", bs-pathname="/opt/splunk/etc"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My example to rename to geo was just to verify that it shows. You need it to be called _geo for it to work with the googlemaps app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default fields with a _ at the start will not display. Run your eval again and then pipe to;
| rename _geo AS GEO | table GEO
To verify if it is being correctly generated. Google maps requires it as _geo but this is just a nice way to make sure the _geo field is created before troubleshooting other things
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I look at examples on Splunkbase i see this:
eval _geo=client_lat+","+client_lon
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
