I've figured out the issue for anyone who gets the error: Error in 'SearchOperator:Geom': could not resolve

What you'll want to do is go to Setting > Lookups > Lookup Definition.

• For app context drop down, select All.
• For Owner drop down, select Any.
• in the text box next to the green button with magnifying glass, type in geo

Make sure it lists the following:
Name Type
geo_attr_countries File
geo_attr_us_states File
geo_countries geo
geo_sf_neighborhoods geo
geo_us_states geo
geoip external

In my case, geo_countries, geo_sf_neighborhoods, geo_us_states and geoip was not avialable. To make these queries work, you're calling geo_us_states and/or geo_countries, so it needs to be there.

What i can't figure out is how to add these files manually. When i tried to define a new lookup for geo_countries, the type "geo" was not available, which means I wouldn't even be able to upload the kmz file even if i got access to it. The other thing i can't figure out is why these files and setup aren't readily available as part of upgrading to 6.3 on our onpremise enterprise server.

When i updated my local version at home, this setup was automatically and readily available. Can someone assist in providing info on how to manually update the system to include these geo lookups, that would be incredibly helpful.

The only things special about the lookup is that is has external_type=geo and the filename must refer to a .kmz file residing in the "lookups" folder. This is what I said earlier in the thread about how to manually define your geo lookups. Essentially you just need to define the lookup.:
"I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like:
[geo_countries]
external_type=geo
filename=XXX
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root)."

you can't use geo_countries unless you declare it first before the pipe
| lookup geo_countries longitude as Long, latitude as Lat

... I'm not sure how to help with that... but I'm going to get in front of someone who may... stay tuned...

the choropleth map will only show a single aggregate split by region...

given that your aggregate is count per region, that is what the choropleth will show

it would be nice if the choropleth could render the count onto the map. It currently only shows the count when you mouseover the region.

im getting the following error: "Error in 'SearchOperator:Geom': could not resolve"

you can't use geo_countries unless you declare it first before the pipe
| lookup geo_countries longitude as Long, latitude as Lat

@mikenagra, I'm not sure if I understood your comment completely. I think that you stated that you can only use geo_countries in the geom command IFF geo_countries was used in the lookup command previously. This is not quite the case.

geo_countries, and geo_us_states are geo-lookup files. They can be used by two commands: lookup and geom.

Lookup uses the geo-lookup file to derive a region id (featureId) from specified per-row lat & lon
Geom uses a geo-lookup file -- and the field specified by featureIdField (defaults to "featureId") -- to insert a GeoJSON blob into the result set that represents the border of the referenced region. If you derived the featureId via some method other than using lookup you may use geom with geo_countries or geo_us_states as the other reference to the geo-lookup file.

Makes sense. Maybe it was just my specific case where I had Lat and Long values in my indexed data that I needed to have a lookup to correlate this data. Without it, geom does absolutely nothing.

ie. This works:
index=main | lookup geo_us_states longitude as Long, latitude as Lat | stats count by featureId | geom geo_us_states

ie. This does not work:
index=main | stats count by featureId | geom geo_us_states

your first case works because featureId is a field that it output from lookup

your second case does not work because featureId does not yet exist

index=main
| stats count by foo

| geom geo_us_states featureIdField=foo

should work if foo is in index=main, and the values of foo map to the names of US states as stored in geo_us_states. To see what is expected, check out geo_attr_us_states ( |inputlookup geo_attr_us_states )

My foo is a zip-code which I use a lookup table to convert to Lat and Long values. In this case my foo does not map directly to the State names. There is an intermediary step that is taken care of by my transforms.conf and props.conf, but it can be inline search as well (| lookup ziplookup Zipcode as LOCATION OUTPUT Lat, Long). For ME, my LOCATION being a zip-code does not map at all to geo_us_states. I get a table with LOCATION and count but not State, if I don't do the ( | lookup geo_us_states longitude as Long, latitude as Lat) to correlate the data. Thanks for the discussion, it does help to learn this stuff. 😃 I could totally be doing this ass-backwards as well.
P.S. I am using this data for a choropleth.

This works:
index=main
| lookup ziplookup Zipcode as LOCATION OUTPUT Lat, Long
| lookup geo_us_states longitude as Long, latitude as Lat
| stats count by featureId
| geom geo_us_states

This does not work:
index=main
| lookup ziplookup Zipcode as LOCATION OUTPUT Lat, Long
| stats count by LOCATION
| geom geo_us_states featureIdField=LOCATION

You're not doing anything backwards -- you just need to lookup into a different KML/KMZ. As you figured out, geo_us_states will only work if your featureId maps to state names. Similarly, geo_countries will only work if your featureId maps to country names.

You need a KML/KMZ file that maps to zip codes.

Here is a link to the blog post that @mporath wrote about adding your own KML/KMZ lookup files:

http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/

Good luck!

Usually the geom command is applied after both a lookup has been done against the geo lookup table and the stats. This insures that each record that you stat is accompanied by the correct name of the geo-entity from the geo lookup table. Since you are not applying a geolookup, but rather just attaching a country name via geoIp, my suspicion is that the iplocation command may be attaching country names that are not in the geo spatial lookup. My further suspicion is that a blank country name is getting attached by the geoip. Then the geom command says "cannot resolve [blank]" since it cannot find the geometry for an empty country name. One thing you can do is dig out the log (inspect job through the UI, then click to see the dispatch log). I can tell a lot from those logs. The second thing is to use an eval to make sure there are no blank country names passing through from stats.

Could you post your entire search?