i tried the app but i couldn't get it to work with iplocation which was why i asked the question in this forum.
again, I recommend making sure that Country is not blank in any of the geoip outputs
Something like this should work for the SPL:
assuming that the IP address you're interested in is "client_ip"
| iplocation clientip
| stats count by Country
| geom geocountries featureIdField=Country
you can then set the visualization type to Choropleth
I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geocountries". Please locate your transforms.conf file that contains a stanza named [geocountries]. In this stanza you should see something like:
(where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root).
The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow.
Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL):
|stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat