All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

_geo field will not display - need it for google maps

mcbradford
Contributor
‎11-02-2012 08:31 AM

More info....

I am now getting...

Script for lookup table 'geoip' returned error code 1. Results may be incorrect. (this message is repeated for each of my indexers.

Maybe I am doing something wrong???

I am trying to use the google maps application. According to the documentation I need a field called _geo that includes lat and lon, so I use the following to create this field:

eval _geo=client_lat.",".client_lon

The field is not created, but if I use:

eval geo=client_lat.",".client_lon, I get the field?

Not sure what I am doing wrong here?

Some clarrification...

I changed the search to this....

index=mail | lookup geoip clientip as srcip | eval geo=client_lat+","+client_lon | search client_country="Spain" | table geo

I am getting results such as....

37.3379,-5.8395

But the google map does not have any data/plots????

debug info:

DEBUG: Incompatible set of indexes specified
DEBUG: No matching index found for 'index=mail'
DEBUG: [indexer16] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer17] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer21] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer22] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer23] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer24] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer25] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer26] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: base lispy: [ AND index::mail ]
DEBUG: search context: user="admin", app="maps", bs-pathname="/opt/splunk/etc"

Reply

Drainy
Champion
‎11-05-2012 04:20 AM

My example to rename to geo was just to verify that it shows. You need it to be called _geo for it to work with the googlemaps app

0 Karma
Reply

Drainy
Champion
‎11-02-2012 08:41 AM

By default fields with a _ at the start will not display. Run your eval again and then pipe to;

| rename _geo AS GEO | table GEO

To verify if it is being correctly generated. Google maps requires it as _geo but this is just a nice way to make sure the _geo field is created before troubleshooting other things

Reply

sdaniels
Splunk Employee
Splunk Employee
‎11-02-2012 08:37 AM

If I look at examples on Splunkbase i see this:

eval _geo=client_lat+","+client_lon
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...