topic Re: GEOIP Only displaying 10000 results on a map in All Apps and Add-ons

GEOIP Only displaying 10000 results on a map

brianokelly — Mon, 28 Sep 2020 10:06:22 GMT

Hi all, when plotting geoip data onto google maps we only see 10K results displayed. I checked in limits.conf and modified a number of parameters which had no effect. When I do a search inspection I see for the parameter request:

request {'time_format': '%s.%Q', 'search': 'search index=bluecoat | geoip cip', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'SplunkForHostworksCDN', 'latest_time': '0', 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': '1321249597', 'auto_cancel': '100'}

It seems the max_count is set to 10000. Does anyone know which parameter this refers to for google maps?

Re: GEOIP Only displaying 10000 results on a map

dmaislin_splunk — Mon, 28 Sep 2020 10:16:31 GMT

In case you want to take a look at the limits, they are established on $SPLUNK_HOME/etc/system/default/limits.conf, find the one you'd like to change, create a new limits.conf and place under $SPLUNK_HOME/etc/system/local/limits.conf

Re: GEOIP Only displaying 10000 results on a map

Spelunke — Wed, 04 Jan 2012 21:20:36 GMT

good point, but which limit to change?

Re: GEOIP Only displaying 10000 results on a map

nina15 — Fri, 06 Jan 2012 02:35:26 GMT

I'm having the same problem which was going on in another thread: geoip search results not correct

which parameter has to change here??

Re: GEOIP Only displaying 10000 results on a map

jeremiahc4 — Wed, 11 Jan 2012 18:47:22 GMT

From what I'm reading in dmaislin_splunk's response, it looks like you either change your system-wide defaults via this file;

$SPLUNK_HOME/etc/system/default/limits.conf

or you create your local config based off that file with this file and this would be a more limited scope across your splunk server;

$SPLUNK_HOME/etc/system/local/limits.conf

The fields I thought I needed to edit are below (my results are stopping at 10000);

[subsearch]
maxout = 10000
maxtime = 60

All that said, I tried it and it has not changed my results yet, still getting just 10000 and it's dying even after a splunk restart. There's a handful of other fields in the limits.conf file matching this 10000 barrier I'm running into, but none of the descriptions suggest they're involved with what I'm doing.

Re: GEOIP Only displaying 10000 results on a map

jeremiahc4 — Mon, 28 Sep 2020 10:18:06 GMT

Actually after re-reading brianokelly's original post, is it hard coded to 10k (the number next after max_count in the code snippet posted)? I see max_count defined in my system-wide limits.conf as 10m so I don't think that is the field it's keying on here.

Re: GEOIP Only displaying 10000 results on a map

mcolin — Mon, 16 Jan 2012 13:43:21 GMT

by changing the value in

[subsearch]

maximum number of results to return from a subsearch

maxout =

you should get what you are expecting

Re: GEOIP Only displaying 10000 results on a map

pwattssplunk — Mon, 14 Jan 2013 16:23:40 GMT

[subsearch]
* This stanza controls subsearch results.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.

Re: GEOIP Only displaying 10000 results on a map

mikelanghorst — Mon, 14 Jan 2013 16:43:24 GMT

Should never change a file in a default directory, as that will be overwritten the next time you update.