Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event visualization limit

lostpassword
Explorer
‎11-25-2013 03:38 AM

Hello.

I'm trying to execute this search:

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"

After processing I can see really nice pie chart 🙂 But I also recieve this warning:

These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.

And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query 

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")

returns 25194.

Can you explain me why search results are truncated?
Thanks,

Alex.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 03:53 AM

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

View solution in original post

Reply
Solved! Jump to solution

kbecker
Communicator
‎09-29-2016 08:13 AM

Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.

Thanks,
Ken

0 Karma
Reply
Solved! Jump to solution

sloshburch
Ultra Champion
‎01-29-2016 06:43 AM

If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 03:53 AM

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

Reply
Solved! Jump to solution

lostpassword
Explorer
‎11-26-2013 03:01 AM

Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P.?) )" | search senderAddress= | top 9 senderAddress useother=t
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 05:23 AM

The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a stats sum(dc-field) to your by-search.

0 Karma
Reply
Solved! Jump to solution

lostpassword
Explorer
‎11-25-2013 04:11 AM

Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
http://postimg.org/image/ok8bc1fz5/
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...