More info....
I am now getting...
Script for lookup table 'geoip' returned error code 1. Results may be incorrect. (this message is repeated for each of my indexers.
Maybe I am doing something wrong???
I am trying to use the google maps application. According to the documentation I need a field called _geo that includes lat and lon, so I use the following to create this field:
eval _geo=client_lat.",".client_lon
The field is not created, but if I use:
eval geo=client_lat.",".client_lon
, I get the field?
Not sure what I am doing wrong here?
Some clarrification...
I changed the search to this....
index=mail | lookup geoip clientip as srcip | eval geo=client_lat+","+client_lon | search client_country="Spain" | table geo
I am getting results such as....
37.3379,-5.8395
But the google map does not have any data/plots????
debug info:
DEBUG: Incompatible set of indexes specified
DEBUG: No matching index found for 'index=mail'
DEBUG: [indexer16] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer17] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer21] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer22] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer23] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer24] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer25] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: [indexer26] search context: user="admin", app="maps", bs-pathname="/opt/splunk/var/run/searchpeers/searchhead15-1351873905"
DEBUG: base lispy: [ AND index::mail ]
DEBUG: search context: user="admin", app="maps", bs-pathname="/opt/splunk/etc"
My example to rename to geo was just to verify that it shows. You need it to be called _geo for it to work with the googlemaps app
By default fields with a _ at the start will not display. Run your eval again and then pipe to;
| rename _geo AS GEO | table GEO
To verify if it is being correctly generated. Google maps requires it as _geo but this is just a nice way to make sure the _geo field is created before troubleshooting other things
If I look at examples on Splunkbase i see this:
eval _geo=client_lat+","+client_lon