Solved: Google Maps App Never Populates the Map with Resul...

keiche · ‎01-10-2011

I have installed the latest versions of the Google Maps app and MAXMIND (amMaps works). Whenever I attempt to perform a search, the results will find IP addresses, but never places them on the map. I see there are other people who have the same concern as me, but there is no definitive answer online. I have even ran these queries as the administrator. How do I get the IP addresses to be geospatially mapped?

Here are some queries I've tried:

* | lookup geoip clientip | geonormalize

sourcetype=syslog | lookup geoip clientip | geonormalize

* | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | eval clientip=ip | lookup geoip clientip | geonormalize

* | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip | geonormalize

* | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | eval clientip=ip | lookup geoip clientip | geonormalize

sourcetype=syslog | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | eval clientip=ip | lookup geoip clientip | geonormalize

All of these queries result in 0 different locations found, despite all of the events having IP addresses (and return results in the regular search mode).

ziegfried · ‎01-10-2011

Did you try the geoip command? It ships with the Google Maps app.

* | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | geoip ip

Some of your searches should work, it seems something's wrong with the geonormalize command. I'll take a look at it.

View solution in original post

Akili · ‎01-16-2012

mee too. its not working

asleeis · ‎03-16-2011

I see similar issues. My fields are always extracting okay, but the map just seems to toggle back and forth with the "loading preview..." message. It's inconsistent, though. I had it working earlier. My boss never had it work. I've seen this off and on with mine. Sometimes restarting splunk helps. Sometimes not. Not really sure what's what.

the_wolverine · ‎02-11-2011

Ziegfried, just wanted to post that I tried out your app and have to say, AWESOME! Thanks for sharing.

ziegfried · ‎01-10-2011

Did you try the geoip command? It ships with the Google Maps app.

* | rex "(?<ip>\d+\.\d+\.\d+\.\d+)" | geoip ip

Some of your searches should work, it seems something's wrong with the geonormalize command. I'll take a look at it.

sideview · ‎03-07-2011

Also seems to not work on windows for me. The geoip command adds no fields. Indeed on linux it seems fine.

keiche · ‎02-08-2011

I switched over to the Linux version of splunk (away from Windows), and I got my search to work. Thanks ziegfried.

keiche · ‎01-17-2011

I do not see these when I open up the "All 71 Fields" link

ziegfried · ‎01-11-2011

Are you seeing the generated geo fields? They should be named like ip_countrycode, ip_latitude, etc.

keiche · ‎01-11-2011

Hmmm, I just ran that query and it ended the same way - nothing on the map. The ip variable has over 100 unique IP addresses for the last 15min (and I filtered out the private IP spaces).

Google Maps App Never Populates the Map with Results

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor