All Apps and Add-ons

Splunk JavaScript Web Framework: How to return more than 50000 search results without modifying the value in limits.conf?

kasu_praveen
Communicator

Seems to me there is a limit to search results through the JavaScript framework in Splunk.
When I run the below JS code, the maximum results I am getting is 50000 only.

var SearchInst = splunkjs.mvc.Components.getInstance("search1");
var searchResults = SearchInst.data("results");
searchResults.on("data", function() {
     dataRows = searchResults.data().rows; // Maximum rows resulting here is 50000 only.
});

Seems this is restricted in limits.conf.

So, thought of looping the search results and came up with the below modified code (minLimit and maxLimit values will be modified in a loop).

var SearchInst = splunkjs.mvc.Components.getInstance("search1");
var searchResults = SearchInst.data("results",{count:maxLimit,offset:minLimit});
searchResults.on("data", function() {
     dataRows = searchResults.data().rows; 
    // dataRows value is accessible here only. When I try to read this variable outside of this "on" event, I am seeing no results.
});

but, problem with this code is, the dataRows value is accessible with in the "on" event only. When I try to read this variable outside of this "on" event, I am seeing no results.

First of all, is this approach is correct? Any Idea, how to get all the results (more than 50000) without modifying the value in limits.conf?

Thanks in Advance.

rakeshh123
Path Finder

Hi Kasu_Praveen
There is another way of doing other than changing the limits.confi by using savedsearches.conf ...........i dont know how to do it through GUI .....But you can change It through Configuration files .........Go to Splunk-----> etc---->system----> default---->savedsearches.conf
copy the files paste it in etc---->system-------->local and all u need to do is change only one attribute
dispatch.max_count----> default value is 500000
change it to ur required value ...........Let me know if it helps .....................

0 Karma

davidpaper
Contributor

I don't think this is the same setting. Sunil's running into a limit at 50,000, and the default for dispatch.max_count is already higher at 500,000.

0 Karma

gyslainlatsa
Motivator

hi kasu_praveen,

every person who wants to change the default number of results is often forced to change the limits.conf file.

and I think this is the best solution to have more lice 50,000 events by default.

https://answers.splunk.com/answers/24648/why-do-i-receive-limit-50000-results-reached-warning-messag...

I do not really think there's another idea that allows dele do without changing the file limit.conf becaufe all the changes we make at splunkweb are saved in configuration files.

0 Karma

kasu_praveen
Communicator

Hi gyslainlatsa,

Thanks for your time.
But, we don't want to modify value in limits.conf, as that will cause memory issues.
Ref: Limits.conf
Looking forward for any other solution to resolve this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...