* | geoip clientip returns error. HELP HELP! ___

Question

I did * | geoip clientip

yet I get an error:

"External search command 'geoip' returned error code 1. First 1000 (of 9218) bytes of script output:" followed by the script output.

A screenshot is here:

http://tinypic.com/r/2hnb1cp/7

Accepted Answer

2

You can do:

* | geoip clientip

This will pipe all events in the index into the geoip tool.

link

answered 10 Dec '10, 21:04

ftk ♦
6.8k●1●7●27
accept rate: 38%

@ftk I've updated the question with an error, any help?

(10 Dec '10, 22:31) hunterppp

Hmm. I don't think that screenshot tells us much as to what the error is. There should be a python.log in $SPLUNK_HOME/var/log/splunk/ That should have the full error message.

(13 Dec '10, 13:37) ftk ♦

Answer 2

0

Looks like you're getting an exception that splunk doesn't know how to parse. The main thing is it's returning failure (a nonzero exit code). You may want to capture from inside the script how it's being invoked and run it independently to investigate.

link

answered 15 Dec '10, 18:25

jrodman ♦
7.0k●2●10●27
accept rate: 41%

* | geoip clientip returns error. HELP HELP! ___

Follow this question

Splunk Resources

Related questions