Hello everyone,
I'm running Splunk 5.0.4 on Linux and installed the Google Maps app. When I access the app, I see the normal search bar at the top and then a world map on the bottom half of the screen (so the app appears to be installed). Also, in my app settings, I have all of the options (GeoIP & cache) enabled.
When I run a simple all-inclusive "*" search on all data (last 15 minutes) I get search results with thousands of events and thousands of IP's in those events. But, no "dots" or location information on the map... it's just a blank map.
When I click on "Geo Results" it says: "No results found."
What am I doing wrong?
Thanks.
You still have to call the geoip command to get this to show up on the map.
Examples from the docs:
Perform a geolocation lookup for values of the clientip field in access_combined events:
sourcetype=access_combined | geoip clientip
Same as the previous example, but also perform DNS lookups in case when the value of the clientip field is a hostname and not an IP:
sourcetype=access_combined | geoip clientip resolve_hostnames=true
Same as the first example, but using the geo lookup instead of the command
sourcetype=access_combined | lookup geo ip as clientip
You still have to call the geoip command to get this to show up on the map.
Examples from the docs:
Perform a geolocation lookup for values of the clientip field in access_combined events:
sourcetype=access_combined | geoip clientip
Same as the previous example, but also perform DNS lookups in case when the value of the clientip field is a hostname and not an IP:
sourcetype=access_combined | geoip clientip resolve_hostnames=true
Same as the first example, but using the geo lookup instead of the command
sourcetype=access_combined | lookup geo ip as clientip
That worked! Thanks for the info!
Yes, I have maxmind installed as well.
Did you install the maxmind app?