Fix GeoIP and Google Maps Apps in Splunk 6.1

Today, after upgrading to Splunk 6.1 I realized, that some GeoIP data in dashboards was missing. By using the lookup search command to get the country from an IP address like :

| stats count | eval ip=”193.28.153.192″ | lookup geoip clientip as ip

I got an error message, which showed that the lookup was somehow not working.

As the “geoip” lookup is implemented as a python script I checked the process using procmon..

As we see python.exe – which represents the lookup script located at c:\Program Files\Splunk\etc\apps\MAXMIND\bin\geoip.py – tries to read the Maxmind Database File GeoCityLite.dat and fails because the file is not where expected. In fact the database file is located at app folder c:\Program Files\Splunk\etc\apps\maps\bin\GeoLiteCity.dat, not Program folder c:\Program Files\Splunk\bin\GeoLiteCity.dat.

To fix the issue open the lookup script, uncomment line 5 and comment out line 6:

DB_PATH = os.path.join(os.environ["SPLUNK_HOME"], ‘etc’, ‘apps’, ‘MAXMIND’,'bin’,'GeoLiteCity.dat’)
#DB_PATH=(‘GeoLiteCity.dat’)

The same issue also applies to the Splunk Google Maps app. The command

| stats count | eval ip=”193.28.153.192″| lookup geo ip

returns error code 1 instead of a pin on the map.

you have to adjust the config file c:\Program Files\Splunk\etc\apps\maps\default\geoip.conf to

database_file = c:\Program Files\Splunk\etc\apps\maps\bin\GeoLiteCity.dat

The whole issue looks like a compatibility issue from Splunk 6.0 to 6.1. It seems that lookup scripts are executed in a different working directory.