Google Maps and Splunk 6 - limited results graphin...

howyagoin · ‎11-13-2013

I tried the Google Maps app under Splunk 6 and noticed that it's not graphing more than a few hundred hits, even though the results are far more numerous. I see that it doesn't explicitly state that it works under Splunk 6, but, I was wondering if anyone else has noticed this.

The app: http://apps.splunk.com/app/368/

My search results in hundreds or thousands of results, but only a few hundred ever show up in Google Maps; and it's not a case of aggregation where zooming shows more (tried checking).

Anyone else seen this or know a workaround?

I should add that if I re-run the same query over and over I get a different number of results with each query. Once it may be 501, then 561, then 550, then 512. I have a distributed search head/indexer setup if that matters.

LukeMcfly · ‎12-15-2014

I have a result table of 614 distinct location Events of which only about 100 markers get plotted. I'm not using the Google Maps for I have to work without dependencies and I wonder why my GooglemapsView doesn't show all my Events. I checked the limit.conf file where my subsearch limit is set to 1000 . Is there a workaround or any other settings I have to configure? Is anyone experiencing the same issue?

jedatt01 · ‎12-17-2014

I'm experiencing the same issue. I have counted and my map will literally display only 100 distinct locations. I am also using javascript to override the default app settings and add my own markers and popups (etc.) There has to be some hardcoded limit in the app that's causing this. Per google documentation the only limitation they pose is the url limit of 2048 characters. I've tried to shorten my URL's but still my map stops at 100 results. Someone please help!

wangjifeng · ‎12-24-2013

I also meet this problem,

when i use
"sourcetype=cell |eval _geo=lat+","+lon"

i got
"340,275 match events"

but in views of google map, the total results is
"8392 results with location information ( 140 distinct locations ) "

when i use
"sourcetype=cell |geoip"

I only got
"3,000 match events"

in map
"1000 results with location information ( 38 distinct locations )"

pmos69 · ‎12-19-2013

It's possible you're hitting the Splunk postprocess limits.
Workaround: Help gmaps by summarizing the results yourself to the _geo_count field.

For a complete explanation and example see http://answers.splunk.com/answers/37105/geoip-search-results-not-correct/41177

Solved my problems.

shawnfreynolds · ‎01-14-2014

this worked out great for me!

xisura · ‎12-02-2013

Hi, I also like the map marker its better than the pie chart, planning to integrate the google map in Splunk 6 but as I read the doc there is no note there that google map is applicable in Splunk 6. Hope someone could help us here.If we use the built-in map in splunk 6 is there a way we can change the pie chart to map marker?

howyagoin · ‎11-14-2013

Yes, I have, however, there appears no way to make a label appear in a marker representing a count. I liked the way the count appeared in the Google Maps app - good for screenshots and quick visual summaries. Radius of marker isn't enough.

martin_mueller · ‎11-14-2013

Have you tried using the built-in map of Splunk 6 instead?

Google Maps and Splunk 6 - limited results graphing.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases