Archive

geoip command stops working after upgrade to 6.1.1 - GeoIP database file 'GeoLiteCity.dat' does not exist!

Splunk Employee
Splunk Employee

geoip command from google app stops working after upgrade to 6.1.1

In search log

05-14-2014 14:53:15.834 INFO script - found script file=/opt/SPLUNK/6.1.1/splunk/etc/apps/maps/bin/geoipcmd.py
05-14-2014 14:53:15.834 INFO script - stderr for script geoip will be treated as search messages
05-14-2014 14:53:15.891 ERROR script - Error in 'geoip' command: command="geoip", Error: GeoIP database file 'GeoLiteCity.dat' does not exist!

Nothing has changed under $SPLUNK_HOME/etc/apps/maps/* (compared md5s between 2 different instances 6.0.3 vs 6.1.1)

File is present under

/opt/SPLUNK/6.1.1/splunk/etc/apps/maps/bin/GeoLiteCity.dat

with correct permission...

anyone seen this?

Tags (1)
0 Karma
1 Solution

Explorer

Update the file $SPLUNK_HOME/etc/apps/maps/default/geoip.conf

change the line

database_file = GeoLiteCity.dat

to

database_file = /opt/splunk/etc/apps/maps/bin/GeoLiteCity.dat

or whatever the correct full path to GeoLiteCity.dat is

Using "$SPLUNK_HOME/etc/apps/maps/bin/GeoLiteCity.dat" did not work for me.

View solution in original post

Explorer

I tried the options suggested on MY SEARCH HEADS, it is returning results with errors for my linux indexers-"Streamed search execute failed because: Error in 'geoip' command: command="geoip", Error: GeoIP database file '/Program Files/Splunk/etc/apps/maps/bin/GeoLiteCity.dat' does not exist!".

My architecture has 2 Search Heads in Windows and 4 indexers- (2 Indexers windows and 2 indexers- Linux). Each of these indexers have its own sets of data. ie..no mirroring configured. hence I will have to availability of all indexers for a search operation.

So here is what i did:
1. modify the Search heads & Indexers running on Windows- geoip.conf with following entry:
database_file = /Program Files/Splunk/etc/apps/maps/bin/GeoLiteCity.dat

  1. Modify the indexer running Linux - geoip.conf with following entry: database_file = /opt/splunk/etc/apps/maps/bin/GeoLiteCity.dat

However on my Search head, when I try to run syntax, for example:
"index=vpn session disconnected | geoip IP " does return with events for my indexers running windows, but fails to provide events from indexers running on Linux.

But if I run the syntax individually on the Indexer running with Linux, it does return events.

Can someone help propose a solution for this ?

0 Karma

New Member

If you are running this on a Windows server, the path needs to be in the normal windows format DRIVELETTER:\splunk\etc\apps\maps\bin\GeoLiteCity.dat

0 Karma

Path Finder

Good point ! Works fine back from me !

0 Karma

Path Finder

I had to make this change on my search heads and indexers in order for it to work.

However, this only works if your search head and indexer use the same directory path structure. (i.e. /opt or /appl). Since my search head is on a different path than our indexer, this work around does not work.

0 Karma

Path Finder

not sure cause i've got an all-in-one server. But as it deals with app, I think it should be on search head. BTW, just make a search on you fiel system on geoip.conf and put GeoLiteCity.dat real path in it (after running a search on GeoLiteCity.dat too)

0 Karma

Champion

Does this get changed on the search-head or indexers? I changed it on my search-head, and it now spits back a bunch of errors from the indexers, saying the .dat file can't be found.

0 Karma

New Member

Doesn't work for me when I use the Google Maps in my own View. It works fine, when I use it within the Google Maps View.
I get the following error in the Job Inspector
{'fatal': ["Error in 'script': Getinfo probe failed for external search command 'geoip'"], 'error': ["Error in 'script': Getinfo probe failed for external search command 'geoip'"], 'debug': ['search context: user="admin", app="APM_dynatrace", bs-pathname="C:\Tools\Splunk\etc"']}

I have change the path of the GeoLiteCity.dat file as per one of the comments in the Forums to an absolute path
database_file = C:\Tools\Splunk\etc\apps\maps\bin\GeoLiteCity.dat
I am running Splunk on a single Windows box – so there is no distributed search

0 Karma

New Member

Same problem here... using fresh install and Google Maps on 6.1

0 Karma

Engager

Thx @rruijgrok No more error with the full absolute path (but maps don't fill - I'll RTFM to know more about all that)

0 Karma

Explorer

Update the file $SPLUNK_HOME/etc/apps/maps/default/geoip.conf

change the line

database_file = GeoLiteCity.dat

to

database_file = /opt/splunk/etc/apps/maps/bin/GeoLiteCity.dat

or whatever the correct full path to GeoLiteCity.dat is

Using "$SPLUNK_HOME/etc/apps/maps/bin/GeoLiteCity.dat" did not work for me.

View solution in original post

Explorer

thanks worked for 6.1.3

0 Karma

Path Finder

worked like a charm... Thanks !!!

0 Karma

Path Finder

FYI, this also fixed the same error in the security onion app. thanks!

0 Karma

Explorer

Thanks for this fix.. Solved our issue

0 Karma

Explorer

Don't forget to restart Splunk after changing geoip.conf

Google Maps is working fine in Splunk 6.1 after this change

Engager

I'm a real newbie with Splunk : Fresh install since 2 hours ! with modsecurity 14 and Google maps apps visibly well installed.

Exactly same problem. All files seems to be in place with good perms (owner 506:506)

(I'm currently trying to search more logs to understand what's happening) on brand new Ubuntu 14.04 (standalone geoip is ok)

0 Karma