All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

GEOIP Only displaying 10000 results on a map

brianokelly
Explorer
‎11-14-2011 09:51 PM

Hi all, when plotting geoip data onto google maps we only see 10K results displayed. I checked in limits.conf and modified a number of parameters which had no effect. When I do a search inspection I see for the parameter request:

request {'time_format': '%s.%Q', 'search': 'search index=bluecoat | geoip cip', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'SplunkForHostworksCDN', 'latest_time': '0', 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': '1321249597', 'auto_cancel': '100'}

It seems the max_count is set to 10000. Does anyone know which parameter this refers to for google maps?

Reply

pwattssplunk
Splunk Employee
Splunk Employee
‎01-14-2013 08:23 AM

[subsearch]
* This stanza controls subsearch results.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.

0 Karma
Reply

mcolin
Engager
‎01-16-2012 05:43 AM

by changing the value in

[subsearch]

maximum number of results to return from a subsearch

maxout =

you should get what you are expecting

Reply

jeremiahc4
Builder
‎01-11-2012 10:47 AM

From what I'm reading in dmaislin_splunk's response, it looks like you either change your system-wide defaults via this file;

$SPLUNK_HOME/etc/system/default/limits.conf

or you create your local config based off that file with this file and this would be a more limited scope across your splunk server;

$SPLUNK_HOME/etc/system/local/limits.conf

The fields I thought I needed to edit are below (my results are stopping at 10000);

[subsearch]
maxout = 10000
maxtime = 60

All that said, I tried it and it has not changed my results yet, still getting just 10000 and it's dying even after a splunk restart. There's a handful of other fields in the limits.conf file matching this 10000 barrier I'm running into, but none of the descriptions suggest they're involved with what I'm doing.

0 Karma
Reply

mikelanghorst
Motivator
‎01-14-2013 08:43 AM

Should never change a file in a default directory, as that will be overwritten the next time you update.

0 Karma
Reply

jeremiahc4
Builder
‎01-11-2012 10:56 AM

Actually after re-reading brianokelly's original post, is it hard coded to 10k (the number next after max_count in the code snippet posted)? I see max_count defined in my system-wide limits.conf as 10m so I don't think that is the field it's keying on here.

0 Karma
Reply

nina15
Communicator
‎01-05-2012 06:35 PM

I'm having the same problem which was going on in another thread: geoip search results not correct

which parameter has to change here??

0 Karma
Reply

Spelunke
Path Finder
‎01-04-2012 01:20 PM

good point, but which limit to change?

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎01-04-2012 05:09 AM

In case you want to take a look at the limits, they are established on $SPLUNK_HOME/etc/system/default/limits.conf, find the one you'd like to change, create a new limits.conf and place under $SPLUNK_HOME/etc/system/local/limits.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...