All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

GEOIP Only displaying 10000 results on a map

brianokelly
Explorer
‎11-14-2011 09:51 PM

Hi all, when plotting geoip data onto google maps we only see 10K results displayed. I checked in limits.conf and modified a number of parameters which had no effect. When I do a search inspection I see for the parameter request:

request {'time_format': '%s.%Q', 'search': 'search index=bluecoat | geoip cip', 'required_field_list': '*', 'max_count': '10000', 'ui_dispatch_app': 'SplunkForHostworksCDN', 'latest_time': '0', 'status_buckets': '300', 'ui_dispatch_view': 'flashtimeline', 'earliest_time': '1321249597', 'auto_cancel': '100'}

It seems the max_count is set to 10000. Does anyone know which parameter this refers to for google maps?

Reply

pwattssplunk
Splunk Employee
Splunk Employee
‎01-14-2013 08:23 AM

[subsearch]
* This stanza controls subsearch results.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 100.

0 Karma
Reply

mcolin
Engager
‎01-16-2012 05:43 AM

by changing the value in

[subsearch]

maximum number of results to return from a subsearch

maxout =

you should get what you are expecting

Reply

jeremiahc4
Builder
‎01-11-2012 10:47 AM

From what I'm reading in dmaislin_splunk's response, it looks like you either change your system-wide defaults via this file;

$SPLUNK_HOME/etc/system/default/limits.conf

or you create your local config based off that file with this file and this would be a more limited scope across your splunk server;

$SPLUNK_HOME/etc/system/local/limits.conf

The fields I thought I needed to edit are below (my results are stopping at 10000);

[subsearch]
maxout = 10000
maxtime = 60

All that said, I tried it and it has not changed my results yet, still getting just 10000 and it's dying even after a splunk restart. There's a handful of other fields in the limits.conf file matching this 10000 barrier I'm running into, but none of the descriptions suggest they're involved with what I'm doing.

0 Karma
Reply

mikelanghorst
Motivator
‎01-14-2013 08:43 AM

Should never change a file in a default directory, as that will be overwritten the next time you update.

0 Karma
Reply

jeremiahc4
Builder
‎01-11-2012 10:56 AM

Actually after re-reading brianokelly's original post, is it hard coded to 10k (the number next after max_count in the code snippet posted)? I see max_count defined in my system-wide limits.conf as 10m so I don't think that is the field it's keying on here.

0 Karma
Reply

nina15
Communicator
‎01-05-2012 06:35 PM

I'm having the same problem which was going on in another thread: geoip search results not correct

which parameter has to change here??

0 Karma
Reply

Spelunke
Path Finder
‎01-04-2012 01:20 PM

good point, but which limit to change?

0 Karma
Reply

dmaislin_splunk
Splunk Employee
Splunk Employee
‎01-04-2012 05:09 AM

In case you want to take a look at the limits, they are established on $SPLUNK_HOME/etc/system/default/limits.conf, find the one you'd like to change, create a new limits.conf and place under $SPLUNK_HOME/etc/system/local/limits.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...