Hello,
Have installed AMMap and Maxmind per instructions here and in documentation. Using this formula:
sourcetype="Sites*" Preview fromHost!="'10.*'" | rex
"'(?<fromHost>\d+.\d+.\d+.\d+)'"| stats count by fromHost | head 100 | eval
count_label="Login" |
eval iterator="fromHost" | eval iterator_label="IP" | eval
movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval
app="amMap" | lookup geoip clientip as fromHost
I'm able to generate results (which I can't post without enough 'karma', but trust me, I'm seeing cities, countries, lat, long, region, etc..)
However, when I use the | mapit command, all of a sudden 'no events were found'. When I run a check of the Splunk logs there are entries which coincides with each | mapit request:
Fri Nov 08 11:31:03 2013 - ERROR - Traceback:Traceback (most recent call last):
File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 180, in run
result_dict_list = get_results()
File "D:\splunk\etc\apps\amMap\bin\map_results.py", line 41, in get_results
if results[0].has_key("app"):
IndexError: list index out of range
Any ideas on what might be happening? Appreciate any tips!
... View more