Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event visualization limit

lostpassword
Explorer
‎11-25-2013 03:38 AM

Hello.

I'm trying to execute this search:

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"

After processing I can see really nice pie chart 🙂 But I also recieve this warning:

These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.

And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query 

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")

returns 25194.

Can you explain me why search results are truncated?
Thanks,

Alex.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 03:53 AM

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

View solution in original post

Reply
Solved! Jump to solution

kbecker
Communicator
‎09-29-2016 08:13 AM

Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.

Thanks,
Ken

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-29-2016 06:43 AM

If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 03:53 AM

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

Reply
Solved! Jump to solution

lostpassword
Explorer
‎11-26-2013 03:01 AM

Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P.?) )" | search senderAddress= | top 9 senderAddress useother=t
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 05:23 AM

The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a stats sum(dc-field) to your by-search.

0 Karma
Reply
Solved! Jump to solution

lostpassword
Explorer
‎11-25-2013 04:11 AM

Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
http://postimg.org/image/ok8bc1fz5/
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...