Archive2

Why is AMMap not generating the flash-based map?

Contributor

I tried the steps specified on the http://www.splunk.com/base/Documentation/4.1/Developer/CreateMap documentation, but I can't seem to get the map generated for me. These are the error message I've been seeing with regards to the app:

Wed Apr 28 09:49:33 2010 - ERROR - Traceback:Traceback (most recent call last): File "C:\Program Files\Splunk\etc\apps\ammap\bin\map_results.py", line 178, in run geo_results = aggregate_threat(result_dict_list) File "C:\Program Files\Splunk\etc\apps\ammap\bin\map_results.py", line 91, in aggregate_threat key = dict["client_lon"]+dict["client_lat"] File "C:\Program Files\Splunk\Python-2.6\Lib\UserDict.py", line 22, in __getitem__ raise KeyError(key)KeyError: 'client_lon'

Tags (4)
0 Karma
Reply
1 Solution

Contributor

This seems to be a matter of re-education. Entering the search query brings up the resulting action, and you will need to go back to the main page where the map is to see your updated map.

View solution in original post

0 Karma
Reply

Contributor

This seems to be a matter of re-education. Entering the search query brings up the resulting action, and you will need to go back to the main page where the map is to see your updated map.

View solution in original post

0 Karma
Reply

Splunk Employee
Splunk Employee

By the way a new version of the app was uploaded on April 27th. http://www.splunkbase.com/apps/All/4.x/app:Splunk+for+use+with+amMap+Flash+Maps

0 Karma
Reply

Splunk Employee
Splunk Employee

Will try it out on my Windows box.

0 Karma
Reply

Splunk Employee
Splunk Employee

Yes, its working for me. Running Splunk 4.1.1 MAC OS X

0 Karma
Reply

Contributor

I've redownloaded this, and still the same issue. Is this working for you?

0 Karma
Reply

Splunk Employee
Splunk Employee

If you run the search
* | rex "(?\d+.\d+.\d+.\d+)"| search ip!=192.168* ip!=0.0.* ip!=10.*| stats count by ip | head 100 | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="amMap" | lookup geoip clientip as ip ... in the search box do you see client_lon , client_city, client_country fields as column headers in the results table?

0 Karma
Reply

Contributor

Yes I am getting an error message it looks like.

1 INFO - Checking Intersplunk for results

2 INFO - checking for target app in search results

3 INFO - checking for output file in search results

4 INFO - aggregate_threat()

5 INFO - Aggregating results ....

6 INFO - formatthreatmovies()

7 INFO - writethreatxml()

8 C:\Program Files\Splunk\etc\apps\amMap\appserver\static\xmlout\homethreat_dat
a.xml

9 Writing XML to : C:\Program Files\Splunk\etc\apps\amMap\appserver\static\xmlout\homethreat_data.xml

0 Karma
Reply

Splunk Employee
Splunk Employee

have you run the search with | mapit on the end?

0 Karma
Reply

Contributor

Yes. I actually have the sourcetype do the lookup inline, so I don't have to run the geoip command any longer.

0 Karma
Reply