All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

_geo field will not display - need it for google maps

mcbradford
Contributor
‎11-02-2012 08:31 AM

More info....

I am now getting...

Script for lookup table 'geoip' returned error code 1. Results may be incorrect. (this message is repeated for each of my indexers.

Maybe I am doing something wrong???

I am trying to use the google maps application. According to the documentation I need a field called _geo that includes lat and lon, so I use the following to create this field:

eval _geo=client_lat.",".client_lon

The field is not created, but if I use:

eval geo=client_lat.",".client_lon, I get the field?

Not sure what I am doing wrong here?

Some clarrification...

I changed the search to this....

index=mail | lookup geoip clientip as srcip | eval geo=client_lat+","+client_lon | search client_country="Spain" | table geo

I am getting results such as....

37.3379,-5.8395

But the google map does not have any data/plots????

debug info:

DEBUG: Incompatible set of indexes specified
DEBUG: No matching index found for 'index=mail'
DEBUG: [indexer16] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer17] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer21] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer22] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer23] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer24] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer25] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer26] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: base lispy: [ AND index::mail ]
DEBUG: search context: user="admin", app="maps", bs-pathname="/opt/splunk/etc"

Reply

Drainy
Champion
‎11-05-2012 04:20 AM

My example to rename to geo was just to verify that it shows. You need it to be called _geo for it to work with the googlemaps app

0 Karma
Reply

Drainy
Champion
‎11-02-2012 08:41 AM

By default fields with a _ at the start will not display. Run your eval again and then pipe to;

| rename _geo AS GEO | table GEO

To verify if it is being correctly generated. Google maps requires it as _geo but this is just a nice way to make sure the _geo field is created before troubleshooting other things

Reply

sdaniels
Splunk Employee
Splunk Employee
‎11-02-2012 08:37 AM

If I look at examples on Splunkbase i see this:

eval _geo=client_lat+","+client_lon
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...