We have our search heads pooled in batches of 4. I installed Google Maps into the shared application directory and have restarted all search heads, but I'm encountering an error when trying to use the geoip command. Streamed search execute failed because: Error in 'script': Getinfo probe failed for external search command 'geoip'
Should I be installing this app on all of our indexers? Should I install it on our deployment server and then have one of our serverClasses handle getting it to our search heads and/or indexers?
I see this error referenced in quite a few places on SplunkBase, but I'm not really finding a similar situation to compare ours to.
I was running into the same problem today. We have 4 Indexers and 7 Search Heads running. First In installed Google Maps on one of the Search Heads, resulting in the same error message stated above.
Then I have installed it on one of the indexers and run the geoip command locally on this Indexer, which was running fine. In the last step I installed the app on all 4 Indexers, and then it was running fine fro the Search Head as well.
You can test if this is a distributed search issue where it's trying to execute the command on the Indexers by using splunk_server in a search and piping to geoip:
... splunk_server=localhost | geoip src_ip
If running the command local on the search head solves the issue, you can make a more permanent solution to tell Splunk to execute the command only on search heads, like this:
COMMANDS.CONF: [geoip] local=true