I have about 20,000 matching events when I do a search for a specific term. Piping to geoip limit my results to 2,724 events, and 998 events with location information. What is going on here? Any limits I need to change? Any insight appreciated.
In my case I added "stats count as c_ip" (my ip field was c_ip) to agggregate the counts before piping to geoip to reduce the results to within the internal limit. The end result has over 50,000 matching events with location information.
I'm seeing the same issue and have dedup my src_ip which provides 3000 unique ips. running geoip src_ip provides only approximately the first 1000 results. What config change needs to occur to process all?