Archive

Google Maps GeoIP max 1000 events

bluecomet
New Member

I have about 20,000 matching events when I do a search for a specific term. Piping to geoip limit my results to 2,724 events, and 998 events with location information. What is going on here? Any limits I need to change? Any insight appreciated.

scdpantidepressantskills sc_status="200"

Data shows from Jan - Dec

vs

scdpantidepressantskills sc_status="200" | geoip c_ip

Only Nov - Dec Data appears

Tags (1)
0 Karma

bluecomet
New Member

The answer by ziegfried in this post was helpful:

http://splunk-base.splunk.com/answers/37105/geoip-search-results-not-correct

In my case I added "stats count as c_ip" (my ip field was c_ip) to agggregate the counts before piping to geoip to reduce the results to within the internal limit. The end result has over 50,000 matching events with location information.

0 Karma

bbthesplunk
Explorer

I'm seeing the same issue and have dedup my src_ip which provides 3000 unique ips. running geoip src_ip provides only approximately the first 1000 results. What config change needs to occur to process all?

Thanks

0 Karma

imallika
New Member

Did you try deduping the ip field before piping it out to c_ip?
Like : scdpantidepressantskills sc_status="200" | dedup c_ip | geoip c_ip

Your results are probably pulling up duplicates of ips.

0 Karma

bluecomet
New Member

Deduping reduces it a bit, but I was able to increase the limit to no more than 10000 events in the limits.conf

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!