Re: Geo Location Lookup Script (powered by MAXMIND...

Michael · ‎05-13-2014

Love this app!
Worked fine with 6.0.2 -- but broke when I applied 6.1 (build 206881).

"Script for lookup table 'geoip' returned error code 1. Results may be incorrect. "

Any ideas?
If the developers are around -- pretty please fix?

martin_mueller · ‎05-13-2014

Consider using iplocation: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/iplocation

martin_mueller · ‎06-01-2014

Different results could be different database ages, or different accuracies. Remember, IP to location lookups aren't an exact science - one address can be assigned to different locations dynamically as well.

I think the DB used by the iplocation command is sitting somewhere in $SPLUNK_HOME, forgot where though. Maybe you can replace it with a commercial high-accuracy one yourself.

delfering · ‎05-30-2014

Same boat at the OP. Trying the suggestion but I'm seeing different results using iplocation. Wonder if it is as accurate as the Maxmind database?

martin_mueller · ‎05-14-2014

Well... the app you linked isn't marked as compatible with Splunk 6.

As for finding searches to edit, you can use Splunk for that. Call the saved searches REST endpoint in the regular search bar and filter like this: regex search="\|\s*geoip".

Michael · ‎05-14-2014

Thanks. Just tried it, works well enough.

Bummer though, all that invested time in getting my dashboards and reports created with geoip -- just another thing to add to my todo list, editing them...

Geo Location Lookup Script (powered by MAXMIND) -- broken with 6.1?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases