All Apps and Add-ons

GEOIP Only displaying 10000 results on a map

brianokelly
Explorer

Hi all, when plotting geoip data onto google maps we only see 10K results displayed. I checked in limits.conf and modified a number of parameters which had no effect. When I do a search inspection I see for the parameter request:

request {'time_format': '%s.%Q', 'search': 'search index=bluecoat | geoip cip', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'SplunkForHostworksCDN', 'latest_time': '0', 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': '1321249597', 'auto_cancel': '100'}

It seems the max_count is set to 10000. Does anyone know which parameter this refers to for google maps?

pwattssplunk
Splunk Employee
Splunk Employee

[subsearch]
* This stanza controls subsearch results.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.

0 Karma

mcolin
Engager

by changing the value in

[subsearch]

maximum number of results to return from a subsearch

maxout =

you should get what you are expecting

jeremiahc4
Builder

From what I'm reading in dmaislin_splunk's response, it looks like you either change your system-wide defaults via this file;

$SPLUNK_HOME/etc/system/default/limits.conf

or you create your local config based off that file with this file and this would be a more limited scope across your splunk server;

$SPLUNK_HOME/etc/system/local/limits.conf

The fields I thought I needed to edit are below (my results are stopping at 10000);

[subsearch]
maxout = 10000
maxtime = 60

All that said, I tried it and it has not changed my results yet, still getting just 10000 and it's dying even after a splunk restart. There's a handful of other fields in the limits.conf file matching this 10000 barrier I'm running into, but none of the descriptions suggest they're involved with what I'm doing.

0 Karma

mikelanghorst
Motivator

Should never change a file in a default directory, as that will be overwritten the next time you update.

0 Karma

jeremiahc4
Builder

Actually after re-reading brianokelly's original post, is it hard coded to 10k (the number next after max_count in the code snippet posted)? I see max_count defined in my system-wide limits.conf as 10m so I don't think that is the field it's keying on here.

0 Karma

nina15
Communicator

I'm having the same problem which was going on in another thread: geoip search results not correct

which parameter has to change here??

0 Karma

Spelunke
Path Finder

good point, but which limit to change?

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In case you want to take a look at the limits, they are established on $SPLUNK_HOME/etc/system/default/limits.conf, find the one you'd like to change, create a new limits.conf and place under $SPLUNK_HOME/etc/system/local/limits.conf

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...