|tstats values(<indexed__field_name>) where index=<index_name> will totally avoid going over any events. It gets its answer from looking at metadata in .tsidx files, so no perf hit for scanning events. Orders of magnitude faster than piping a search to stats. ... View more

This is not a "supported" architecture, in the sense that it has not been tested as part of our release test pipeline with AWS. However, if you have an SSL cert, signed by a valid cert authority, on the heavy forwarder, then in theory there is nothing to prevent this from working. ... View more

Smoothing is done via Douglass Poiker Ramer algorithm. Point in polygon matching and clipping are performed via our proprietary index and algorithm. I intend to make a detailed post on the algorithms. ... View more

Unfortunately I believe the UI limits the number of shapes by passing a max 1000 back to the server. I will look into this when I get back in on Monday to see if there is a. Workaround. If you don't see a follow up here on Monday, please ping me ghendrey@splunk.com ... View more

I deleted the GUID from instance.cfg on peer. New guid was created on restart. Problem solved for me. ... View more

in the search UI you will see a system message like this: Failed to add peer 'guid=02E2B503-8C98-4690-BD9C-ABAB937BDAE4 server name=indexpeer ip=192.168.1.69:8089' to the master. Error=Cannot register a peer with the master's guid. You are correct, the two systems have the same guid in instance.cfg and that must be causing the problem The rest endpoint (/services/cluster/master/peers) should be returning a meaningful error message, and it is not. So if you are debugging this on the slave, all you see is this: "05-18-2016 16:45:22.102 -0700 WARN CMSlave - Failed to register with cluster master reason: failed method=POST path=/services/cluster/master/peers/?output_mode=json master=ghendrey-mbp.local:8092 rv=0 actual_response_code=500 expected_response_code=201 status_line=Internal Server Error error=No error [ event=addPeer status=retrying AddPeerRequest: { _id= active_bundle_id=488D0EABB38D6873F00907580854C72D add_type=Initial-Add base_generation_id=0 latest_bundle_id=488D0EABB38D6873F00907580854C72D mgmt_port=8089 name=02E2B503-8C98-4690-BD9C-ABAB937BDAE4 register_forwarder_address= register_replication_address= register_search_address= replication_port=34572 replication_use_ssl=0 replications= server_name=indexpeer site=default splunk_version=6.4.0 splunkd_build_number=dbd9c8b7bedfe28e2ed0a9140fca47225309167a status=Up } ]." ... View more

The only things special about the lookup is that is has external_type=geo and the filename must refer to a .kmz file residing in the "lookups" folder. This is what I said earlier in the thread about how to manually define your geo lookups. Essentially you just need to define the lookup.: "I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like: [geo_countries] external_type=geo filename=XXX (where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root)." ... View more

again, I recommend making sure that Country is not blank in any of the geoip outputs ... View more

I tracked down "could not resolve". This actually is occurring because the "filename" key cannot be found in transforms.conf, corresponding to the geo lookup named "geo_countries". Please locate your transforms.conf file that contains a stanza named [geo_countries]. In this stanza you should see something like: [geo_countries] external_type=geo filename=XXX (where XXX is the name of a .kmz file that resides in a folder named "lookups" under the splunk etc root). The fact that the "could not resolve" error message is occurring seems to indicate that the filename key wasn't there, which in turn makes me wonder if the [geo_countries] stanza has gotten borked somehow. Are you able to do this lookup (the geom command requirers the same conf stanza I mentioned above)? SO this is a way to check the stanza is correct (don't miss the opening pipe in this hack SPL): |stats count|eval lat =37.7792| eval lon=-122.4191|lookup geo_countries longitude as lon, latitude as lat ... View more

and post your dispatch log (inspect job) ... View more

Usually the geom command is applied after both a lookup has been done against the geo lookup table and the stats. This insures that each record that you stat is accompanied by the correct name of the geo-entity from the geo lookup table. Since you are not applying a geolookup, but rather just attaching a country name via geoIp, my suspicion is that the iplocation command may be attaching country names that are not in the geo spatial lookup. My further suspicion is that a blank country name is getting attached by the geoip. Then the geom command says "cannot resolve [blank]" since it cannot find the geometry for an empty country name. One thing you can do is dig out the log (inspect job through the UI, then click to see the dispatch log). I can tell a lot from those logs. The second thing is to use an eval to make sure there are no blank country names passing through from stats. ... View more

it would be nice if the choropleth could render the count onto the map. It currently only shows the count when you mouseover the region. ... View more

I was trying to install a 3 member shc on a single box (my laptop). I had not set distinct "servername" for each member in etc/local/server.conf. I did "splunk clean all" on all members, set a distinct servername in server.conf for each, restarted each node, and reran the bootstrap command on the node I want to be captain (bootstrap captain). Now when I do "splunk show shclusters-status" I can see all three members are up and I don't see the error in the log anymore. ... View more

serverside. When you drag a choropleth map, you will clearly see the clipped edge. When you release the drag on the client, you will see the server reclip/gen the geometry, and the screen updates. ... View more