https://community.splunk.com/t5/Splunk-Search/maxresults-and-stats-command/m-p/9896#M294 <P>What's the particular command you are running? Yes, the results are accurate over all events for the buckets that are displayed, but only <EM>displays</EM> up to 10,000 rows.</P> <P>For example, </P> <PRE><CODE>* | stats count by id </CODE></PRE> <P>might only list 10,000 entries, but each <CODE>count</CODE> value will be accurate for all events. Furthermore,</P> <PRE><CODE>* | stats count by id | stats count </CODE></PRE> <P>will give you the correct number of distinct <CODE>id</CODE>'s even if it's more than 10,000, and</P> <PRE><CODE>* | stats count by id | stats sum(count) </CODE></PRE> <P>will give you the correct total number of events with an <CODE>id</CODE>, not just the sum of the first 10,000. (Of course there are other ways to compute these values, but the point is that the limit only affects the total number of final results displayed in the web UI.)</P> <P>Finally, running</P> <PRE><CODE>* | stats count by id | outputcsv myoutfile </CODE></PRE> <P>will write the output file <CODE>$SPLUNK_HOME/var/run/splunk/myoutfile.csv</CODE> with the entire set of results, even though only 10,000 are displayed in the web interface.</P> Sat, 27 Feb 2010 07:37:00 GMT gkanapathy 2010-02-27T07:37:00Z https://community.splunk.com/t5/Splunk-Search/maxresults-and-stats-command/m-p/9895#M293 <P>Does maxresults in limits.conf have an effect when piping results to the stats command? For example, if I run a search over 15 minutes Splunk says there are 523,107 results between 9:00am and 9:15, however only 1000 pages (10 results/page) of results are displayed in the web gui, so 10,000 results, which matches the value in limits.conf. Does the stats command report across all 523,107 results or only the 10,000 that are displayed in the web gui?</P> <P>Thanks in advance for any help.</P> Sat, 27 Feb 2010 03:27:28 GMT https://community.splunk.com/t5/Splunk-Search/maxresults-and-stats-command/m-p/9895#M293 kbecker 2010-02-27T03:27:28Z https://community.splunk.com/t5/Splunk-Search/maxresults-and-stats-command/m-p/9896#M294 <P>What's the particular command you are running? Yes, the results are accurate over all events for the buckets that are displayed, but only <EM>displays</EM> up to 10,000 rows.</P> <P>For example, </P> <PRE><CODE>* | stats count by id </CODE></PRE> <P>might only list 10,000 entries, but each <CODE>count</CODE> value will be accurate for all events. Furthermore,</P> <PRE><CODE>* | stats count by id | stats count </CODE></PRE> <P>will give you the correct number of distinct <CODE>id</CODE>'s even if it's more than 10,000, and</P> <PRE><CODE>* | stats count by id | stats sum(count) </CODE></PRE> <P>will give you the correct total number of events with an <CODE>id</CODE>, not just the sum of the first 10,000. (Of course there are other ways to compute these values, but the point is that the limit only affects the total number of final results displayed in the web UI.)</P> <P>Finally, running</P> <PRE><CODE>* | stats count by id | outputcsv myoutfile </CODE></PRE> <P>will write the output file <CODE>$SPLUNK_HOME/var/run/splunk/myoutfile.csv</CODE> with the entire set of results, even though only 10,000 are displayed in the web interface.</P> Sat, 27 Feb 2010 07:37:00 GMT https://community.splunk.com/t5/Splunk-Search/maxresults-and-stats-command/m-p/9896#M294 gkanapathy 2010-02-27T07:37:00Z