The observed behavior is a postprocess-limitation of Splunk. When you take a look at the default maps view, you will notice that results are being post-processed. If you search through Splunkbase, youl'll find multiple discussions regarding the 10k postprocess limitation. The results are summarized behind the scenes for the user. The module will automatically apply the following postprocess-search to the base-search: eval _geo_count=coalesce(_geo_count,1) | stats sum(_geo_count) as _geo_count by _geo So the results are aggregated to the count results by unique (distinct) location. The resulting number of records is usually lower by an order of a magnitude in most cases. eg. when dealing with geo-ip database based results, there will not be a huge number of unique locations, since the number of records in the GeoCity Light database is not that big. A lot of IP addresses share the same location. The GoogleMaps module will only fetch 100,000 results from the search endpoint. This is a hard-coded limitation at the moment, since the browser won't be able to handle more records at a time. A better approach is to summarize the result in the base-search, by searching for something like: sourcetype=something src_ip=* | stats count as _geo_count by src_ip | geoip src_ip | search _geo=* | stats sum(_geo_count) as _geo_count by _geo Here's a short explaination what this search does: sourcetype=something src_ip=* Reduce the result in the base search to those events that contain the relevant IP field | stats count as _geo_count by src_ip Aggregate by distinct IP address | geoip src_ip Do the geo-ip lookup | search _geo=* Filter out those results that do not contain geo-information | stats sum(_geo_count) as _geo_count by _geo Aggregate again to the the summarized count of events by distinct location (ie. distinct combination of latitude and longitue). If you're really dealing with a even bigger number of distinct locations (more than 100k), which I doubt, then you will need to perform some kind of server-side clustering. There will be support for accurate geo-clustering in a future version of the Google Maps app. In the meanwhile you can use the kmeans command or craft a custom search command. ... View more

What browser are you using? Windows 7 is the client OS, right? Have you checked the Javascript error console of your browser if there are any messages? ... View more

Setting streaming to false is the way to prevent the command script from being called multiple times. Additionally Splunk will call the script twice for each run if the option supports_getinfo is enabled. You can either disable this option or check if the call is a GETINFO or EXECUTE call. (isgetinfo, sys.argv) = splunk.Intersplunk.isGetInfo(sys.argv) if isgetinfo: splunk.Intersplunk.outputInfo(False, False, True, False, None) else: # ... output to file ... View more

The app uses the Google Maps API Version 3.3 . The last version is 3.6 . There should be an update soon that will use the latest version. ... View more

What build and client OS/browser are you using? Just tried it with 4.3 beta build 111122 in Firefox and Safari and it seems to work fine. ... View more

How does the recipient in your alert look like? Are you sure there is not leading/tailing whitespace or comma? ... View more

What kind of mailserver do you use? Have you looked into the logs of it? ... View more

SMTP Error 550 means "Requested action not taken: mailbox unavailable". Seems like your mailserver doesn't accept the specified recipient. ... View more

You can influence the layout using some custom CSS. See this answer: http://splunk-base.splunk.com/answers/25458/columnrow-span-on-dashboard ... View more

You're right. I didn't see that I've built a rather dirty workaround for Linux. I'll add it to the post, but I think it's something you already had in mind. ... View more

Sadly genormalize only detects lowercase fieldnames... I'll fix that in a future version. ... View more

And it works on at least OSX as well... ... View more

It's running on Ubuntu. Why are you wrapping a python script with a shell script? ... View more

Here's a python script I'm using in various scenarios where I'm invoking a subprocess that should be killed when the script is disabled or splunk is stopped: import sys import signal from subprocess import * process = Popen(...) def cleanup(s, f): try: process.terminate() except: sys.exit(1) signal.signal(signal.SIGTERM, cleanup) (out,err) = process.communicate() Splunk sends a SIGTERM to the script and the callback attached to the signal terminates the subprocess. if os.uname()[0] == 'Linux': from threading import Thread import time class PPIDWatcher(Thread): def __init__(self): super(PPIDWatcher, self).__init__() def run(self): ppid = os.getppid() while True: time.sleep(1) try: os.kill(ppid,0) except: cleanup() PPIDWatcher().start() ... View more

Thx, that sounds reasonable 🙂 ... View more

REGEX = <(\w+)>([^<]+)</ ... View more

Can you make sure that the sourcetype is actually applied to those events? There is a bug on splunkbase, that doubles the backslashes . There should only be one in the REGEX stanza... ... View more

This should work: transforms.conf [simple-xml-tags] REGEX = <(\w+)>([^<]+)</ FORMAT = $1::$2 props.conf [my_sourcetype] REPORT-xml-tags = simple-xml-tags ... View more

What values does this SourceIP field contain? Make sure there are not whitespaces around the IP address. ... View more