Archive2

Search Query Limitation displaying only 800000 records

kishen2017
Path Finder

Hi All,

Facing an issue with splunk search query hitting limitation with 800000 records.
On this below query, SLR001 total count is displaying as 800000 but the actual records in index for SLR001 is more than 900000.
Search query is limiting the records returned for SLR001 at 800000.

I tried changing maxresultrows config value in limits.conf but it doesnt work.
Also i tried using append maxout command with higher value but it did not work.

Appreciate any help on this to display SLR001 total count value to more than 800000 records.

Query Used:

(index=sumidx_slr006 search_stage=slr006) OR (index=sumidx_slr002 stage=transaction slr=slr002) OR (index=sumidx_slr003 slr=slr003 stage=transaction) OR (index=sumidx_slr004 search_name="sumidx_slr004") |append [search index="sumidx_slr001" search_name="sumidx_slr001" |dedup isoClearSysRef]
| eval SLR_name=case(index="sumidx_slr006","SLR006",search_name="sumidx_slr001_change2","SLR001",index="sumidx_slr002","SLR002",index="sumidx_slr003","SLR003",index="sumidx_slr004","SLR004")
| stats count(eval(SLR_status="Breached")) AS Breached,count(eval(SLR_status="Breached" OR SLR_status="Not Breached")) as Total by SLR_name

Output:

SLR_name Breached Total

SLR001 315 800000
SLR002 141 1378539
SLR003 1792 1349458
SLR004 17 231518
SLR006 13 220741

Tags (1)
0 Karma
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!