Hi there!
I have created a panel with a simple count of events that depends on some pickers. All works fine, but when I'm testing this panel and I put all the events (15 million more or less) only shows me 10 million. I was thinking in the limits.conf, and I tried to change some options like...
[stats]
maxresultrows = <integer>
* Maximum number of rows allowed in the process memory.
* When the search process exceeds max_mem_usage_mb and maxresultrows, data is
spilled out to the disk
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).
maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 0 (unlimited).
[concurrency]
max_count = <integer>
* Maximum number of detected concurrencies.
* Defaults to 10000000
... without any change. I'm reading all the option but I belive that any of them refers to this. I'm wrong?
Any help? please
Ok, my bad. We are testing with the DB connect (lauch a batch, delete index, repeat) and one of the options in batch mode is the max rows to retrieve and guess what? This option is set up to 10 million. I forget to activate the rising column and with all this elements we create "this problem". Solved!
All of you, thank you.
Ok, my bad. We are testing with the DB connect (lauch a batch, delete index, repeat) and one of the options in batch mode is the max rows to retrieve and guess what? This option is set up to 10 million. I forget to activate the rising column and with all this elements we create "this problem". Solved!
All of you, thank you.
I don't know if it's the same thing but I found a situation in which I had a search Limited to 10000 events, also modifing limits.conf.
The problem was the sort command I used: Using "sort 0 myfield" I solved my problem.
Bye.
Giuseppe
Thanks for your quick answer!
I know about the sort limit before and I think that the problem was similar, but I can't find something like that in the stats documentation. My query is really simple:
index=some_index $token1$ $token2$ | stats count
Any other suggestion?
Regards.
are you having distributed environment?
limits.conf settings and DISTRIBUTED SEARCH
Unlike most settings which affect searches, limits.conf settings are not
provided by the search head to be used by the search peers. This means
that if you need to alter search-affecting limits in a distributed
environment, typically you will need to modify these settings on the
relevant peers and search head for consistent results.
Hi @inventsekar
Isn't the case this time. Is a simple Splunk Enterprise 6.4.1 deployment in a Linux Ubuntu Server 16.04
may i know your search query please.. are you running and counting using stats or something like that? as per my knowledge, there is no limit for the number of the search results. but maybe, other configs are limiting it seems.
just i tried on my environment and its returning more than 11million events.
host = "my.hostname.com" | stats count
11,599,613
Hi again @inventsekar
My query is really simple:
index=index1 $token$ $token2$ $token3$ $token4$ $token5$ $token6$ | stats count
I get 10 million with every user, everywhere (search box or panel).
This is a fresh install, and we are set up the config when we need it and by now, we didn't touch any config file (unless limits.conf for this case).
Maybe a 6.4.1 limitation?
nope. 6.4.1 release notes does not say anything about this.
also pls check the user role permissions. the user roles can have Search restrictions.
Ok, I will check the roles but this happen with the admin user, too.