Im still waiting for an answer... Did I miss any answers here...? ... View more

Im trying sourcetype="*" | geoip SourceIP | kmeans k=100 SourceIP_country_name , its not giving me anything... any suggestions on the search command? ... View more

ok, from what I understand, your comments are on Google Maps limit of 100,000: 1)Why splunk only goes up to 10k instead of 100k? if possible, how to modify that? 2)Why running geoip command in splunk's main search (the flashtime runner) also has the same issue although geoip command doesnt have anything to do with Google Maps? ... View more

got it. thanks 😉 ... View more

thanks alot ziegfried for the comprehensive, detailed answer... everyone here kindly aimed to help me with this problem and finally there is an answer... 2 thoughts though.. 1: searching using your suggested search query does not fetch anything for me, it seems to be searching, but fetched results remains 0 and search percentage sticks to 46% for very long time (almost a day)... 2: your doubt is actually wrong. I do have nearly 1.5 millions of "distinct locations"... ... View more

yup dmaislin, and yet no difference... although I knew problem is not from Google Maps permissions as the geoip command behaves the same both in Google Maps and the flashtimeline search. thats why I pointed my problem to geoip, not google maps.. the snapshots that i provided here on geoip as well was done on the flashtimeline, not Google Maps... ... View more

noted and thanks. and I still am waiting to find out the source of the problem... ... View more

thanks hexx for detailed information and references you provide here.. but this is getting even weirder... 😄 although the command is used by all the users without the lookup command, I tried your way and received error: [EventsViewer module] Error in 'lookup' command: The lookup table 'geoip' does not exist. and trying the same command in Google Maps gives this error: Rendering... Error : Traceback: Traceback (most recent call last): File "/opt/splunk/etc/apps/maps/appserver/modules/GoogleMaps/GoogleMaps.py", line 53, in generateResults for result in getattr(job, entity_name)[offset:end]: File "/opt/splunk/lib/python2.6/site-packages/splunk/search/__init__.py", line 1280, in __getitem__ self.job.pushValidation() File "/opt/splunk/lib/python2.6/site-packages/splunk/search/__init__.py", line 610, in pushValidation raise splunk.SearchException, fatality SearchException: Error in 'lookup' command: The lookup table 'geoip' does not exist. besides, the SPP about page, located at .../app/maps/about is a help document with this search as example: Perform a geolocation lookup for values of the clientip field in access_combined events: sourcetype=access_combined | geoip clientip Same as the previous example, but also perform DNS lookups in case when the value of the clientip field is a hostname and not an IP: sourcetype=access_combined | geoip clientip resolve_hostnames=true Same as the first example, but using the geo lookup instead of the command sourcetype=access_combined | lookup geo ip as clientip etc... etc... etc... I even tried this: SIP="*" | lookup geo SIP and got the same error... ... View more

thank you for the update. if the user wishes to maximize that for any reasons of their own, how would that go..? besides, would you explain as well geoip's behavior as geoip command entered in flashtimeline also stops after 10000 results... ... View more

Alright... since this problem behaves exactly the same with any kind of searching I do, I start from a very simple search first... I am applying field extraction using DELIMS, hence I have a field called SIP which stands for sourceip... so now, what I want to show u is results for SIP=* for a normal search, then results for same search on advanced charting view, then SIP=* | geoip SIP to also have geoip behaviour... as you can see, both geoip and advanced chart only retrieve 10000 results ! these are snapshots for the normal search where you can see is up to 7 millions and I had to actually stop it since there was already enough results and it was taking much time... but the point is, the data that exists is way more than 10000... then here it is on advanced charting: and last but not least, geoip! as you can see, both advanced charting and geoip have only 10000 results! the matching event is different. which indicates 2 problems actually: both of them stop only on counting 10000 results accuracy of these 2 as well is now a question mark! because if they both only fetch 10000 results, given that my search in both was the same, their matching events as well should be exactly the same!! ... View more

Draineh, here the limits.conf results in pastebin Hexx, I'll get that and post it here ASAP. thanks ... View more

thanks for your response hexx, as I'd stated in my description the view causes the problem... which is in line with your say that using other search commands (stats, timechart, etc) gives more results... I explained in my other post (the link is available above), the problem seems to raise when it has to display more than that number of results, not counts and stats... (I've already explained this in detail in my other post) and again, in other post I did mention that I tried all possible parameters in limits.conf which includes the ones you are saying, and yet it did not have any effects neither on advanced charts nor geoip!!! ... View more

besides, if thats the case, why geoip behaves the same way... its very unlikely its a coincidence... ... View more

I know I tried many sorts of searches that should have shown thousands of results... but on using stats or timechart I have to try first and get back to u... but if there is any limits anyways, wouldnt it prevent from all kinds of searches...? ... View more

my pleasure... no problems...:) and yes I just saw his answer there... yesterday when I posted this I was left with no answers.. thank you for replying me as well... ... View more

thanks so much dmaislin for responding... i really was feeling im loosing it... anyways, i've already opened a support ticket. the number is CASE [73624]. thanks alot for ur support 🙂 ... View more

I'm not getting any answers or opinions here nor in the other post Bug? Splunk advanced searching/views does not display correctly... really disappointed... ... View more

still no answers/opinions...??? ... View more

from what I understand, that post is only about charting, time ranges and XML... my problem I think resides in lower level of splunk, is not the matter of how it is represented, but the problem is that the results are not fetched at all... the poster of that thread had a problem that the results were shown in the table, but not on the chart, only. mine is not displayed anywhere when I search in Advanced charting or when I use geoip in the normal search... ... View more

I found the license information under: $SPLUNK_HOME/etc/apps/maps/MAXMIND_LICENSE.txt Is this the right path to change the license of GeoLite to GeoIP..?? ... View more