https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438164#M76407 <P>This is because by default it's limited at 1000 in code.</P> <P>You can increase this value in limits.conf:<BR /> [search]<BR /> max_events_per_bucket = xxxx</P> <P>Please refer to this answer:<BR /> <A href="https://answers.splunk.com/answers/92979/the-flashtimeline-dashboard-only-shows-first-1000-events.html" target="_blank">https://answers.splunk.com/answers/92979/the-flashtimeline-dashboard-only-shows-first-1000-events.html</A></P> Tue, 29 Sep 2020 21:26:54 GMT mchang_splunk 2020-09-29T21:26:54Z https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438161#M76404 <P>The following custom search command (which should return 100,000 displays) returns only 1000 events in Splunk. The rest of the events seems to be accounted for, but are not displayed; Splunk 6.x and 7.x:</P> <PRE><CODE>import splunk.clilib.cli_common as spcli import splunk.Intersplunk import sys import time keywords, options = splunk.Intersplunk.getKeywordsAndOptions() def main(args): results = [] row = {} for i in range(0,100000): record = {} record['_time'] = time.time() record['_raw'] = "{" + str(i) + "}" results.append(record) splunk.Intersplunk.outputStreamResults(results) exit() main(sys.argv) </CODE></PRE> <P>commands.conf:</P> <PRE><CODE>[test] filename = test.py local = true overrides_timeorder = true streaming = true supports_multivalues = true generating = stream </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5698iD3FCC728E06B8ED3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 02 Sep 2018 18:12:45 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438161#M76404 jibanes 2018-09-02T18:12:45Z https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438162#M76405 <P>look for <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf">limits.conf</A></P> <P>Configure:</P> <PRE><CODE>[searchresults] maxresultrows = 100000 </CODE></PRE> Sun, 02 Sep 2018 22:12:55 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438162#M76405 Lazarix 2018-09-02T22:12:55Z https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438163#M76406 <P>No that doesn't seem to change the behavior, I added this in limits.conf, then restarted splunk.</P> <PRE><CODE>/opt/splunk/bin/splunk btool limits list | grep -A10 searchresults [searchresults] compression_level = 1 max_mem_usage_mb = 200 maxresultrows = 100000 tocsv_maxretry = 5 tocsv_retryperiod_ms = 500 [set] max_mem_usage_mb = 200 maxresultrows = 50000 [show_source] distributed = true </CODE></PRE> <P>Same behavior as previously reported though... only 10,000 results visible.</P> <P>Note that the same behavior is observed with the default splunk command:</P> <PRE><CODE>| streambag chunks=100 </CODE></PRE> <P>there are no events passed page #20. Exact same behavior. </P> Sun, 02 Sep 2018 22:26:16 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438163#M76406 jibanes 2018-09-02T22:26:16Z https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438164#M76407 <P>This is because by default it's limited at 1000 in code.</P> <P>You can increase this value in limits.conf:<BR /> [search]<BR /> max_events_per_bucket = xxxx</P> <P>Please refer to this answer:<BR /> <A href="https://answers.splunk.com/answers/92979/the-flashtimeline-dashboard-only-shows-first-1000-events.html" target="_blank">https://answers.splunk.com/answers/92979/the-flashtimeline-dashboard-only-shows-first-1000-events.html</A></P> Tue, 29 Sep 2020 21:26:54 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-the-custom-search-command-display-only-1000-events/m-p/438164#M76407 mchang_splunk 2020-09-29T21:26:54Z