I'm trying to execute this search:
index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"
After processing I can see really nice pie chart 🙂 But I also recieve this warning:
These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.
And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query
index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")
Can you explain me why search results are truncated?
Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?
The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a
stats sum(dc-field) to your
Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)
If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.