All Apps and Add-ons

GEOIP Only displaying 10000 results on a map

Explorer

Hi all, when plotting geoip data onto google maps we only see 10K results displayed. I checked in limits.conf and modified a number of parameters which had no effect. When I do a search inspection I see for the parameter request:

request {'time_format': '%s.%Q', 'search': 'search index=bluecoat | geoip cip', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'SplunkForHostworksCDN', 'latest_time': '0', 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': '1321249597', 'auto_cancel': '100'}

It seems the max_count is set to 10000. Does anyone know which parameter this refers to for google maps?

Splunk Employee
Splunk Employee

[subsearch]
* This stanza controls subsearch results.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.

0 Karma

Engager

by changing the value in

[subsearch]

maximum number of results to return from a subsearch

maxout =

you should get what you are expecting

Builder

From what I'm reading in dmaislin_splunk's response, it looks like you either change your system-wide defaults via this file;

$SPLUNK_HOME/etc/system/default/limits.conf

or you create your local config based off that file with this file and this would be a more limited scope across your splunk server;

$SPLUNK_HOME/etc/system/local/limits.conf

The fields I thought I needed to edit are below (my results are stopping at 10000);

[subsearch]
maxout = 10000
maxtime = 60

All that said, I tried it and it has not changed my results yet, still getting just 10000 and it's dying even after a splunk restart. There's a handful of other fields in the limits.conf file matching this 10000 barrier I'm running into, but none of the descriptions suggest they're involved with what I'm doing.

0 Karma

Motivator

Should never change a file in a default directory, as that will be overwritten the next time you update.

0 Karma

Builder

Actually after re-reading brianokelly's original post, is it hard coded to 10k (the number next after max_count in the code snippet posted)? I see max_count defined in my system-wide limits.conf as 10m so I don't think that is the field it's keying on here.

0 Karma

Communicator

I'm having the same problem which was going on in another thread: geoip search results not correct

which parameter has to change here??

0 Karma

Path Finder

good point, but which limit to change?

0 Karma

Splunk Employee
Splunk Employee

In case you want to take a look at the limits, they are established on $SPLUNK_HOME/etc/system/default/limits.conf, find the one you'd like to change, create a new limits.conf and place under $SPLUNK_HOME/etc/system/local/limits.conf

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!