Splunk Search

How can I get the "Splunk for use with AMMAP" to work?

clyde772
Communicator

For the AMMAP application for the map, I followed the instruction and installed MAXMIND and the AMMAP app, but I can't make the splunk to plot the points on the map.

When I enter the search command like below,

  • | rex "(?\d+.\d+.\d+.\d+)"| stats count by ip | head 100 | eval count_label="Event" | eval iterator="ip" | eval iterator_label="IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="amMap" | lookup geoip clientip as ip | mapit

I get the below error message and a chart like view instead of map plots. Here is the error.

/opt/splunk/etc/apps/amMap/bin/map_results.py:76: SyntaxWarning: name 'app' is assigned to before global declaration /opt/splunk/etc/apps/amMap/bin/map_results.py:77: SyntaxWarning: name 'outputFile' is assigned to before global declaration

ANybody any tip on how to get this problem resolved?

Tags (2)
0 Karma

hammon0u
Explorer

I have a question on the pupulation of the xml_out file, does the file get appended to or re-created when the seach is ran to popluate it?

0 Karma

hiddenkirby
Contributor

A clarification might be needed here.

When you pipe to mapit ... it kicks off a script that builds the home_threats_data.xml file.

Then you go back to the map dashboard.. and it will be populated using that home_threats_data.xml file.

You won't see any results in the search results area... it just shows the status of the script there.

You'll see instructions on how to make more maps on the howto page. But essentiall it just builds a static xml that the flash map runs off of.

Not sure if this helped.. but when i first ran it i thought mine crashed.. but it didn't.

Suda
Communicator

Hello,

I always get the similar messages, when I do search with "mapit" command.

/opt/splunk/etc/apps/amMap/bin/map_results.py:73: SyntaxWarning: name 'app' is assigned to before global declaration global app /opt/splunk/etc/apps/amMap/bin/map_results.py:74: SyntaxWarning: name 'outputFile' is assigned to before global declaration global outputFile INFO - get_results() :

But... "mapit" command can create the output file on my environment. /opt/splunk/etc/apps/amMap/appsearver/static/xmlout/home_threat_data.xml.

Then I can see some plots on the map, when I open "AMMAP View" under "AMMap" menu.

  1. Could you try to check the App version? ( amMap/default/MANIFEST ) If your installed App is not the latest, could you try to upgrade it?

  2. Could you try to check whether "home_threat_data.xml" file is created or not?

    Check your "/opt/splunk/etc/apps/amMap/appsearver/static/xmlout" folder.

  3. Could you try to search without the "mapit" command?

    I can see the resutls view containing the following values. "ip", "client_city", "client_country", "client_lat", "client_lon", etc If you cannot get any "ip", "client_lat" information, you may need to change your search commands to get IP addresses.

My Splunk environment is...

  • Splunk 4.1.2 (79191) running on CentOS 5.3.
  • Splunk for use with AMMAP 4.1.3 (dateAddonUpdated 2010-05-01T23:34:35)
  • Splunk eats SonicWall UTM logs.

I hope it helps you to get your results that you want.

Thank you.

Suda
Communicator

clyde772, the command "mapit" just creates a xml file specified by the "output_file" parameter. It doesn't draw any maps.
To show your map and data, you need to re-open "AMMAP View" as hiddenkirby explained below.

Could you try to the following steps?
1. Find "home_threats_data.xml" under "/opt/splunk/etc/apps/amMap/appsearver/static/xmlout" folder.
2. Move "home_threats_data.xml" to any other folder.
3. Do search with the "mapit" command.
4. Check whether "home_threats_data.xml" is created, or not.
In my test environments, I can always find it, even if I see some SyntaxWarnings.

Thank you.

0 Karma

clyde772
Communicator

Suda,

It works without "mapit" command, but when I do "mapit" then I get,

/opt/splunk/etc/apps/amMap/bin/map_results.py:76: SyntaxWarning: name 'app' is assigned to before global

My env is :
* Splunk 4.1.2 Running on fedora core 12, 64 bit.
* AMMAP 4.1.3

Still not work. I am assuming many oher people running linux havethe same issue.

0 Karma

rroberts
Splunk Employee
Splunk Employee

What happens if you leave off the | mapit? Do you see results?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...