Splunk Dev

Where can I change the 10 million limit count?

slr
Communicator

Hi there!

I have created a panel with a simple count of events that depends on some pickers. All works fine, but when I'm testing this panel and I put all the events (15 million more or less) only shows me 10 million. I was thinking in the limits.conf, and I tried to change some options like...

[stats]
maxresultrows = <integer>
* Maximum number of rows allowed in the process memory.
* When the search process exceeds max_mem_usage_mb and maxresultrows, data is
  spilled out to the disk
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 0 (unlimited).

[concurrency]
max_count = <integer>
* Maximum number of detected concurrencies.
* Defaults to 10000000

... without any change. I'm reading all the option but I belive that any of them refers to this. I'm wrong?

Any help? please

Tags (1)
0 Karma
1 Solution

slr
Communicator

Ok, my bad. We are testing with the DB connect (lauch a batch, delete index, repeat) and one of the options in batch mode is the max rows to retrieve and guess what? This option is set up to 10 million. I forget to activate the rising column and with all this elements we create "this problem". Solved!

All of you, thank you.

View solution in original post

0 Karma

slr
Communicator

Ok, my bad. We are testing with the DB connect (lauch a batch, delete index, repeat) and one of the options in batch mode is the max rows to retrieve and guess what? This option is set up to 10 million. I forget to activate the rising column and with all this elements we create "this problem". Solved!

All of you, thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I don't know if it's the same thing but I found a situation in which I had a search Limited to 10000 events, also modifing limits.conf.
The problem was the sort command I used: Using "sort 0 myfield" I solved my problem.
Bye.
Giuseppe

0 Karma

slr
Communicator

Thanks for your quick answer!

I know about the sort limit before and I think that the problem was similar, but I can't find something like that in the stats documentation. My query is really simple:

index=some_index $token1$ $token2$ | stats count

Any other suggestion?

Regards.

0 Karma

inventsekar
Ultra Champion

are you having distributed environment?

limits.conf settings and DISTRIBUTED SEARCH
Unlike most settings which affect searches, limits.conf settings are not
provided by the search head to be used by the search peers. This means
that if you need to alter search-affecting limits in a distributed
environment, typically you will need to modify these settings on the
relevant peers and search head for consistent results.

slr
Communicator

Hi @inventsekar

Isn't the case this time. Is a simple Splunk Enterprise 6.4.1 deployment in a Linux Ubuntu Server 16.04

0 Karma

inventsekar
Ultra Champion

may i know your search query please.. are you running and counting using stats or something like that? as per my knowledge, there is no limit for the number of the search results. but maybe, other configs are limiting it seems.

just i tried on my environment and its returning more than 11million events.
host = "my.hostname.com" | stats count
11,599,613

0 Karma

slr
Communicator

Hi again @inventsekar

My query is really simple:

index=index1 $token$ $token2$ $token3$ $token4$ $token5$ $token6$ | stats count

I get 10 million with every user, everywhere (search box or panel).

This is a fresh install, and we are set up the config when we need it and by now, we didn't touch any config file (unless limits.conf for this case).

Maybe a 6.4.1 limitation?

0 Karma

inventsekar
Ultra Champion

nope. 6.4.1 release notes does not say anything about this.
also pls check the user role permissions. the user roles can have Search restrictions.

0 Karma

slr
Communicator

Ok, I will check the roles but this happen with the admin user, too.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...