geoip command from google app stops working after upgrade to 6.1.1
In search log
05-14-2014 14:53:15.834 INFO script - found script file=/opt/SPLUNK/6.1.1/splunk/etc/apps/maps/bin/geoipcmd.py
05-14-2014 14:53:15.834 INFO script - stderr for script geoip will be treated as search messages
05-14-2014 14:53:15.891 ERROR script - Error in 'geoip' command: command="geoip", Error: GeoIP database file 'GeoLiteCity.dat' does not exist!
Nothing has changed under $SPLUNK_HOME/etc/apps/maps/* (compared md5s between 2 different instances 6.0.3 vs 6.1.1)
File is present under
/opt/SPLUNK/6.1.1/splunk/etc/apps/maps/bin/GeoLiteCity.dat
with correct permission...
anyone seen this?
Update the file $SPLUNK_HOME/etc/apps/maps/default/geoip.conf
change the line
database_file = GeoLiteCity.dat
to
database_file = /opt/splunk/etc/apps/maps/bin/GeoLiteCity.dat
or whatever the correct full path to GeoLiteCity.dat is
Using "$SPLUNK_HOME/etc/apps/maps/bin/GeoLiteCity.dat" did not work for me.
I tried the options suggested on MY SEARCH HEADS, it is returning results with errors for my linux indexers-"Streamed search execute failed because: Error in 'geoip' command: command="geoip", Error: GeoIP database file '/Program Files/Splunk/etc/apps/maps/bin/GeoLiteCity.dat' does not exist!".
My architecture has 2 Search Heads in Windows and 4 indexers- (2 Indexers windows and 2 indexers- Linux). Each of these indexers have its own sets of data. ie..no mirroring configured. hence I will have to availability of all indexers for a search operation.
So here is what i did:
1. modify the Search heads & Indexers running on Windows- geoip.conf with following entry:
database_file = /Program Files/Splunk/etc/apps/maps/bin/GeoLiteCity.dat
However on my Search head, when I try to run syntax, for example:
"index=vpn session disconnected | geoip IP " does return with events for my indexers running windows, but fails to provide events from indexers running on Linux.
But if I run the syntax individually on the Indexer running with Linux, it does return events.
Can someone help propose a solution for this ?
If you are running this on a Windows server, the path needs to be in the normal windows format DRIVELETTER:\splunk\etc\apps\maps\bin\GeoLiteCity.dat
Good point ! Works fine back from me !
I had to make this change on my search heads and indexers in order for it to work.
However, this only works if your search head and indexer use the same directory path structure. (i.e. /opt or /appl). Since my search head is on a different path than our indexer, this work around does not work.
not sure cause i've got an all-in-one server. But as it deals with app, I think it should be on search head. BTW, just make a search on you fiel system on geoip.conf and put GeoLiteCity.dat real path in it (after running a search on GeoLiteCity.dat too)
Does this get changed on the search-head or indexers? I changed it on my search-head, and it now spits back a bunch of errors from the indexers, saying the .dat file can't be found.
Doesn't work for me when I use the Google Maps in my own View. It works fine, when I use it within the Google Maps View.
I get the following error in the Job Inspector
{'fatal': ["Error in 'script': Getinfo probe failed for external search command 'geoip'"], 'error': ["Error in 'script': Getinfo probe failed for external search command 'geoip'"], 'debug': ['search context: user="admin", app="APM_dynatrace", bs-pathname="C:\Tools\Splunk\etc"']}
I have change the path of the GeoLiteCity.dat file as per one of the comments in the Forums to an absolute path
database_file = C:\Tools\Splunk\etc\apps\maps\bin\GeoLiteCity.dat
I am running Splunk on a single Windows box – so there is no distributed search
Same problem here... using fresh install and Google Maps on 6.1
Thx @rruijgrok No more error with the full absolute path (but maps don't fill - I'll RTFM to know more about all that)
Update the file $SPLUNK_HOME/etc/apps/maps/default/geoip.conf
change the line
database_file = GeoLiteCity.dat
to
database_file = /opt/splunk/etc/apps/maps/bin/GeoLiteCity.dat
or whatever the correct full path to GeoLiteCity.dat is
Using "$SPLUNK_HOME/etc/apps/maps/bin/GeoLiteCity.dat" did not work for me.
thanks worked for 6.1.3
worked like a charm... Thanks !!!
FYI, this also fixed the same error in the security onion app. thanks!
Thanks for this fix.. Solved our issue
Don't forget to restart Splunk after changing geoip.conf
Google Maps is working fine in Splunk 6.1 after this change
I'm a real newbie with Splunk : Fresh install since 2 hours ! with modsecurity 14 and Google maps apps visibly well installed.
Exactly same problem. All files seems to be in place with good perms (owner 506:506)
(I'm currently trying to search more logs to understand what's happening) on brand new Ubuntu 14.04 (standalone geoip is ok)