Dashboards & Visualizations
Highlighted

Event visualization limit

Explorer

Hello.

I'm trying to execute this search:

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"

After processing I can see really nice pie chart 🙂 But I also recieve this warning:

These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.

And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")

returns 25194.

Can you explain me why search results are truncated?
Thanks,

Alex.

Tags (2)
Highlighted

Re: Event visualization limit

SplunkTrust
SplunkTrust

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

View solution in original post

Highlighted

Re: Event visualization limit

Explorer

Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
http://postimg.org/image/ok8bc1fz5/
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?

0 Karma
Highlighted

Re: Event visualization limit

SplunkTrust
SplunkTrust

The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a stats sum(dc-field) to your by-search.

0 Karma
Highlighted

Re: Event visualization limit

Explorer

Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P.?) )" | search senderAddress= | top 9 senderAddress useother=t
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)

0 Karma
Highlighted

Re: Event visualization limit

Ultra Champion

If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

0 Karma
Highlighted

Re: Event visualization limit

Communicator

Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.

Thanks,
Ken

0 Karma