topic Re: Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big? in Getting Data In

Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

barlettal — Mon, 12 Mar 2018 10:31:02 GMT

Hello All,

I want to count how many sessions are alive from a single IP.

I have a problem with the window size of this splunk query gets to big:

index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m 
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time 
| sort 0 - _time 
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP 
| search COUNT_SESSIONID > 50 
| table _time IP COUNT_SESSIONID

Splunk tell me, that "The maximum window size (10000) was reached.".

What can I do? Is there any way to get the complete output of the SPL Query?

Thank you for your help!

Re: Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

barlettal — Mon, 12 Mar 2018 11:57:01 GMT

I forgot to say that I have 977'887'114 Events in that app / sourcetype.

Re: Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

p_gurav — Mon, 12 Mar 2018 13:00:22 GMT

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

Re: Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

usd0872 — Wed, 14 Mar 2018 16:23:15 GMT

The message is not caused by a lack of disk quota, but by the maximum window size used when using the time_window option to the streamstats command. Increasing srchDiskQuota won't help.

Re: Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

usd0872 — Thu, 15 Mar 2018 08:08:22 GMT

You have too many events in the time_window=30m timeframe for streamstats to handle (default=10'000). Considering your event count of close to 1 billion I would recommend to go for fixed instead of sliding 30 minute windows:

 index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
 | bin _time span=30m 
 | stats dc(SESSIONID) as COUNT_SESSIONID by IP _time 
 | search COUNT_SESSIONID > 50 
 | table _time IP COUNT_SESSIONID

Not exactly what you are looking for, but an approximation, which hopefully is good enough.