I'm using the Google Maps App for Splunk. When attempting to use the geoip command, it only appears to actually show a small fraction of a percentage (around .0008%) of IPs as having geographical information.
sourcetype="pan_*" | geoip src_ip resolve_hostnames=true
It's searched 188,826 records (all of which contain the src_ip field in standard X.X.X.X format), however it's only stating that there are "166 results with location information ( 16 distinct locations ) over all time".
Using free online tools, I get a better hit ratio than this. Can anyone help me out? I'm guessing I'm doing something wrong with my RegEx.
-Travis
This is a known issue. When using geoip command , for searches with lots of events it has a limitation with the results splunk shows after you run the search with the command. In the background it finds all of them, but it may be showing you only a few. Don’t worry, it has no effect when you want to show stats.