Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Form-view and flashtimeline displaying different results when the search has tag::eventtype

Paolo_Prigione
Builder
‎11-07-2011 03:20 PM

I have a form-view (that feeds many panels out of the same searchTemplate) which only displays about 10k to 16k results while the same search, run in the flashtimeline over the same time period shows > 100k....
My search is as simple as this:

tag::eventtype=perform_monitoring | fields + host sourcetype eventtype

Is there any limit to the results returned by a search performed into a view looking only at tag::eventtype?

I am using eventtypes to classify some notable events. Something like:

  • user login success
  • user login failure
  • user provisioning success
  • user provisioning failure
  • ... and so on.

These eventtypes all have a tag: "perform_monitoring". I created a form view which has a single search to feed all its panels:

<searchTempate>tag::eventtype=perform_monitoring | fields + ...all the necessary fields</searchTempate>

Every single panel has its own:

<searchPostProcess>search eventtype="user login *" | rex field=eventtype "user login (?<result>\w+)" | timechart count by result </searchPostProcess>

However, if I execute this search, say, on the last 24 hours, the results will only show about 2 hours of data, and will always be between 10k and 15k. But if I run the same search on the flashtimeline view, I get > 100k results for the same time period (and same user), and they span over the full 24 hours.

The job manager is telling me the correct earliest time (i.e. 24h ago) and reporting a # of events coherent with what displayed on the form-view. Yet, same search on the flashtimeline shows 10x more results...

I really have no idea why this happens... Do you?

0 Karma
Reply

Paolo_Prigione
Builder
‎11-08-2011 02:17 AM

Limits.conf seems to be the reason:

[search]
max_count = <integer>
* The number of events that can be accessible in any given status bucket.
* The last accessible event in a call that takes a base and bounds.
* Defaults to 10000.

In facts, by inspecting the search job, I find :

eventAvailableCount 10000
eventCount  10714
statusBuckets 0

However, I see no easy way to circumvent this, other than disrupting limits.conf with an unreasonably high setting....

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...