Today, after upgrading to Splunk 6.1 I realized, that some GeoIP data in dashboards was missing. By using the lookup search command to get the country from an IP address like :
| stats count | eval ip=”220.127.116.11″ | lookup geoip clientip as ip
I got an error message, which showed that the lookup was somehow not working.
As the “geoip” lookup is implemented as a python script I checked the process using procmon..
As we see python.exe – which represents the lookup script located at c:\Program Files\Splunk\etc\apps\MAXMIND\bin\geoip.py – tries to read the Maxmind Database File GeoCityLite.dat and fails because the file is not where expected. In fact the database file is located at app folder c:\Program Files\Splunk\etc\apps\maps\bin\GeoLiteCity.dat, not Program folder c:\Program Files\Splunk\bin\GeoLiteCity.dat.
To fix the issue open the lookup script, uncomment line 5 and comment out line 6:
DB_PATH = os.path.join(os.environ["SPLUNK_HOME"], ‘etc’, ‘apps’, ‘MAXMIND’,'bin’,'GeoLiteCity.dat’)
The same issue also applies to the Splunk Google Maps app. The command
| stats count | eval ip=”18.104.22.168″| lookup geo ip
returns error code 1 instead of a pin on the map.
you have to adjust the config file c:\Program Files\Splunk\etc\apps\maps\default\geoip.conf to
database_file = c:\Program Files\Splunk\etc\apps\maps\bin\GeoLiteCity.dat
The whole issue looks like a compatibility issue from Splunk 6.0 to 6.1. It seems that lookup scripts are executed in a different working directory.