https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364140#M107490 <P>Hey Chrisw3,</P> <P>Unfortunately, I do not believe this is a setting you can change. To test I went changed every value in limits.conf from 50000 to 50100. scrub still came back with only 50,000 results. </P> <P>Additionally, I believe this is a constraint of the command itself. Because it is calling a python script on the backend which is using the 1.x SDK which limits transforming searches to 50k results. I believe the 50k limit is a limit of the SDK and is not configurable anywhere.</P> <P>Sorry and goodluck! -David</P> Thu, 26 Apr 2018 03:44:52 GMT David_Naylor 2018-04-26T03:44:52Z https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364139#M107489 <P>Looking for confirmation that I've found the right setting.</P> <P>When i run:</P> <P><STRONG><EM>query<BR /> | stats count</EM></STRONG></P> <P>I see 400,000 events.</P> <P>When I run</P> <P><STRONG><EM>query<BR /> | scrub</EM></STRONG></P> <P>It only returns 50,000.</P> <P>Looking through documentation and other posts, it <EM>appears</EM> that the bottleneck is the <STRONG>maxresultrows</STRONG> setting in limits.conf but there's nothing that confirms this. Am I in the right place or is there another setting that I should adjust?</P> Wed, 25 Apr 2018 22:43:17 GMT https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364139#M107489 chrisw3 2018-04-25T22:43:17Z https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364140#M107490 <P>Hey Chrisw3,</P> <P>Unfortunately, I do not believe this is a setting you can change. To test I went changed every value in limits.conf from 50000 to 50100. scrub still came back with only 50,000 results. </P> <P>Additionally, I believe this is a constraint of the command itself. Because it is calling a python script on the backend which is using the 1.x SDK which limits transforming searches to 50k results. I believe the 50k limit is a limit of the SDK and is not configurable anywhere.</P> <P>Sorry and goodluck! -David</P> Thu, 26 Apr 2018 03:44:52 GMT https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364140#M107490 David_Naylor 2018-04-26T03:44:52Z https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364141#M107491 <P>Do you have anything you can point me to for the limit on the 1.x SDK limit?</P> Thu, 26 Apr 2018 17:38:36 GMT https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364141#M107491 chrisw3 2018-04-26T17:38:36Z https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364142#M107492 <P>This "Best of Splunk" .conf 2017 talk on the python sdk v2 lists the 50k limit as a negative of v1</P> <P><A href="http://conf.splunk.com/sessions/2017-sessions.html#search=Extending%20SPL%20with%20Custom%20Search%20Commands%20and%20the%20Splunk%20SDK%20for%20Python&amp;">http://conf.splunk.com/sessions/2017-sessions.html#search=Extending%20SPL%20with%20Custom%20Search%20Commands%20and%20the%20Splunk%20SDK%20for%20Python&amp;</A></P> Thu, 26 Apr 2018 22:11:12 GMT https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364142#M107492 David_Naylor 2018-04-26T22:11:12Z https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364143#M107493 <P>Sharing the answer I found after working with the Splunk team to dig this out.</P> <P>There's no call to the python SDK so that doesn't appear to impact anything.</P> <P>Turns out that the answer is <STRONG>maxresultrows</STRONG> setting in limits.conf. This limits the search to 50,000.</P> <P><EM>However</EM>, there's a second limitation underneath the commands.conf file that is required as well. </P> <P>commands.conf<BR /> [scrub]<BR /> maxinputs = <EM>integer</EM></P> <P><EM>From documentation:</EM><BR /> * Maximum number of events that can be passed to the command for each invocation.<BR /> * This limit cannot exceed the value of maxresultrows in limits.conf.<BR /> * 0 for no limit.<BR /> * Defaults to 50000.</P> <P>The smallest of the values of <STRONG>maxresultrows</STRONG> and <STRONG>maxinputs</STRONG> will be the value that is returned.</P> <P>Hopefully this saves someone a few minutes of clicking.</P> Fri, 04 May 2018 20:28:25 GMT https://community.splunk.com/t5/Splunk-Search/scrub-command-returning-50000-results/m-p/364143#M107493 chrisw3 2018-05-04T20:28:25Z