topic Re: Search command Top -> Does not return more than 100K results? in Splunk Search

Search command Top -> Does not return more than 100K results?

lpolo — Wed, 27 Feb 2013 20:23:44 GMT

I need to index the all the Top N results of a field.

Search query:

|top limit=0 field| streamstats count as rank

The result set never exceeds 100K rows. I looked at $Splunk/etc/system/default/limits.conf and This is a the default for top search command:

[top]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 0
maxvaluesize = 0

There is not any configuration in the local limits.conf file to override the default.

Question:
How should I configure my local limits.conf file to have all the result set generated by the search command top limit=0?

Thanks,
Lp

yannK — Fri, 01 Mar 2013 16:43:50 GMT

please refer to the specifications for limits.conf
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Limitsconf
or in your instance in $SPLUNK_HOME/etc/system/README/limits.conf.spec

This one seems to be the parameter you are looking for.

[top] maxvalues = < integer > * Maximum number of distinct field vector values to keep track of. * Defaults to 100000.

lpolo — Fri, 01 Mar 2013 17:42:27 GMT

Yannk,

Thanks for your input. I have maxvalues set to 0 as presented in my question. I assumed that it should not default to 100K. Is this correct?

Thanks,
Lp

yannK — Fri, 01 Mar 2013 17:45:30 GMT

you are right, I would expect 0 to be interpreted as unlimited.

Or maybe is there another limit for each subsearch/searchcommand that has precedence.