Hi all, when plotting geoip data onto google maps we only see 10K results displayed. I checked in limits.conf and modified a number of parameters which had no effect. When I do a search inspection I see for the parameter request:
request {'time_format': '%s.%Q', 'search': 'search index=bluecoat | geoip cip', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'SplunkForHostworksCDN', 'latest_time': '0', 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': '1321249597', 'auto_cancel': '100'}
It seems the max_count is set to 10000. Does anyone know which parameter this refers to for google maps?
[subsearch]
* This stanza controls subsearch results.
maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.
by changing the value in
[subsearch]
maxout =
you should get what you are expecting
From what I'm reading in dmaislin_splunk's response, it looks like you either change your system-wide defaults via this file;
$SPLUNK_HOME/etc/system/default/limits.conf
or you create your local config based off that file with this file and this would be a more limited scope across your splunk server;
$SPLUNK_HOME/etc/system/local/limits.conf
The fields I thought I needed to edit are below (my results are stopping at 10000);
[subsearch]
maxout = 10000
maxtime = 60
All that said, I tried it and it has not changed my results yet, still getting just 10000 and it's dying even after a splunk restart. There's a handful of other fields in the limits.conf file matching this 10000 barrier I'm running into, but none of the descriptions suggest they're involved with what I'm doing.
Should never change a file in a default directory, as that will be overwritten the next time you update.
Actually after re-reading brianokelly's original post, is it hard coded to 10k (the number next after max_count in the code snippet posted)? I see max_count defined in my system-wide limits.conf as 10m so I don't think that is the field it's keying on here.
I'm having the same problem which was going on in another thread: geoip search results not correct
which parameter has to change here??
good point, but which limit to change?
In case you want to take a look at the limits, they are established on $SPLUNK_HOME/etc/system/default/limits.conf, find the one you'd like to change, create a new limits.conf and place under $SPLUNK_HOME/etc/system/local/limits.conf