Google Maps GeoIP max 1000 events

bluecomet · ‎01-10-2013

I have about 20,000 matching events when I do a search for a specific term. Piping to geoip limit my results to 2,724 events, and 998 events with location information. What is going on here? Any limits I need to change? Any insight appreciated.

scdpantidepressantskills sc_status="200"

Data shows from Jan - Dec

vs

scdpantidepressantskills sc_status="200" | geoip c_ip

Only Nov - Dec Data appears

bluecomet · ‎06-03-2013

The answer by ziegfried in this post was helpful:

http://splunk-base.splunk.com/answers/37105/geoip-search-results-not-correct

In my case I added "stats count as c_ip" (my ip field was c_ip) to agggregate the counts before piping to geoip to reduce the results to within the internal limit. The end result has over 50,000 matching events with location information.

bbthesplunk · ‎06-03-2013

I'm seeing the same issue and have dedup my src_ip which provides 3000 unique ips. running geoip src_ip provides only approximately the first 1000 results. What config change needs to occur to process all?

Thanks

imallika · ‎05-07-2013

Did you try deduping the ip field before piping it out to c_ip?
Like : scdpantidepressantskills sc_status="200" | dedup c_ip | geoip c_ip

Your results are probably pulling up duplicates of ips.

bluecomet · ‎05-24-2013

Deduping reduces it a bit, but I was able to increase the limit to no more than 10000 events in the limits.conf

Google Maps GeoIP max 1000 events

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!