Hello,
I have 120,000 events with the same timestamp and the 100,000 first ones get indexed with that (correct) timestamp, while the remaining 20k other with one which is a second later.
I guess that a parameter in limits.conf
should be changed - I tried to increase maxvalues
to 200,000 but it did not help (this parameter was the only one more or less close to what I expected to achieve). What I did was to create (per the suggestion in the default file) a file /opt/splunk/etc/system/local/limits.conf
with the following content:
[anomalousvalue]
# maximum number of distinct values for a field
maxvalues = 200000
Is there another parameter which i could change to solve my problem?
Thank you.