Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to increase the list of results in my dashboard to display more than 1020 results?

svemurilv
Path Finder
‎01-30-2017 07:34 AM

Hi Team,
I have a Dashboard displaying the log events List of the specific date. When I am trying to displays all _raw events list, my dashboard shows only 1020 events count, is there any way to display complete raw log events in dashboard, without updating my Limits.conf file or some other .conf changes

using the search index=main source="/home/apps/loader/logs/$date_log$/$processname$" $loglevel$ "$search$"
-Thanks.

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎01-30-2017 12:21 PM

Hi @svemurilv,
Here is some documentation on configuring data truncation using the web.conf file and/or Simple XML:

http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartDisplayissues#Data_truncation
http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/ChartDisplayissues#Configuration_file_data_tru...

Hope this helps!

0 Karma
Reply

rjthibod
Champion
‎01-30-2017 09:20 AM

You probably need to put | table _time _raw on the end of your query.

https://answers.splunk.com/answers/169448/splunk-search-limits-results-to-1000-events-only.html

0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 02:05 PM

yeah for both 6.2 and 6.5.1

0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 01:30 PM

This code is working 

   <table>
    <search>
      <query>index=* source="/home/XXXXXXX/XXXXXX/logs/$date_log$/$processname$" $loglevel$ "$search$" | table _time _raw |sort +_time</query>
      <earliest>$time_sel.earliest$</earliest>
      <latest>$time_sel.latest$</latest>
      <sampleRatio>1</sampleRatio>
    </search>
    <option name="count">100</option>
    <option name="dataOverlayMode">none</option>
    <option name="drilldown">cell</option>
    <option name="percentagesRow">false</option>
    <option name="rowNumbers">false</option>
    <option name="totalsRow">false</option>
    <option name="wrap">true</option>
  </table>
0 Karma
Reply

rjthibod
Champion
‎01-30-2017 01:36 PM

in 6.5 correct?

0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 12:05 PM

Hi,
Am seeing same issues with staging which is running on latest 6.5.1 version.

-thanks

0 Karma
Reply

rjthibod
Champion
‎01-30-2017 12:25 PM

Hmm, strange. I don't see in 6.5 like I do in 6.2.

0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 10:22 AM

its bit old version 6.2

0 Karma
Reply

rjthibod
Champion
‎01-30-2017 10:24 AM

hmm, that maybe the issue. hold on.

0 Karma
Reply

rjthibod
Champion
‎01-30-2017 10:28 AM

Yes, mine gets truncated at 2000 lines on 6.2, and the total proparly depends on how big the raw events are.

You probably can't change this since it is likely limited in the JS stack, not inherent to the search head limits.

In general, there should be no reason for displaying that many raw events, because it will be impossible to find anything. I think you need to reconsider what you are doing with the data.

0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 10:13 AM

Same out pot no change its displaying only 1020 raw events , that's it

0 Karma
Reply

rjthibod
Champion
‎01-30-2017 10:18 AM

What version of Splunk are you using?

0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 09:58 AM 
<panel>
  <event>
    <search>
      <query>   index=main source="/home/gdloader/gdloader/logs/$date_log$/$processname$" $loglevel$ "$search$"  | table _time _raw </query>
      <earliest>$time_sel.earliest$</earliest>
      <latest>$time_sel.latest$</latest>
       </search>
     </event>
</panel>
0 Karma
Reply

rjthibod
Champion
‎01-30-2017 10:09 AM

What happens if you add these options? How many pages of results do you see?

 <panel>
   <event>
     <search>
       <query>   index=main source="/home/gdloader/gdloader/logs/$date_log$/$processname$" $loglevel$ "$search$"  | table _time _raw </query>
       <earliest>$time_sel.earliest$</earliest>
       <latest>$time_sel.latest$</latest>
        </search>
        <option name="count">100</option>
        <option name="type">raw</option>
      </event>
 </panel>
0 Karma
Reply

svemurilv
Path Finder
‎01-30-2017 09:44 AM

Hi rjthibod
this doesn't help full to pull all my 6K events, again its showing 1020 events only instead of all events.

0 Karma
Reply

rjthibod
Champion
‎01-30-2017 09:51 AM

If I add an event table with raw results, I can retrieve thousands of events.

Please share your XML that you are using. Also, what version of Splunk?

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...