Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Query Limit on a UI view?

jgauthier
Contributor
‎06-13-2011 11:12 AM

I've built a very small example to reproduce a problem I am having. Using this page as an example:
http://www.splunk.com/base/Documentation/4.2.1/Developer/FormSearchPostProcess

I've built a dashboard that looks like this:


  <searchTemplate>sourcetype="Exchange2010" sender="$sender$"</searchTemplate>

  <fieldset>
    <input type="text" token="sender">
      <label>Sender</label>
      <seed>*</seed>
    </input>

    <input type="time">
    <default>Last 30 days</default>
    </input>
  </fieldset>

  <row>
    <chart>
      <title>Requests over time for result set</title>
      <searchPostProcess>timechart count as "Requests"</searchPostProcess>
      <option name="charting.chart">column</option>
    </chart>
  </row>

  <row>
    <chart>
      <title>Top users in result set</title>
      <searchPostProcess>top 10 recipient</searchPostProcess>
      <option name="charting.chart">pie</option>
    </chart>

  </row>

  <row>
    <table>
      <title>Requests in result set</title>
      <searchPostProcess>sort - _time | fields _time, sender, recipient</searchPostProcess>
      <fields>_time, sender, recipient</fields>
      <option name="showPager">true</option>
      <option name="count">30</option>
      <option name="displayRowNumbers">false</option>
      </table>
  </row>
</form>

Regardless of the "Time" chosen, the query seems to abort just after hitting 10,000 rows.
Is this a known limitation? Is there a configuration change I can make to get more?
In some instances, this is only good for a day or two of data, and after that short data. for instance, I can select 30 days, but I really only get about 6.

It always seems to stop short. I'm not sure why, but I never get more than 13,000 records.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

melting
Splunk Employee
Splunk Employee
‎06-13-2011 03:49 PM

Post process is limited to 10,000 events. If you want the full amount you can split into unique searches.

Some values are configurable in limits.conf

View solution in original post

Reply
Solved! Jump to solution
Solution

melting
Splunk Employee
Splunk Employee
‎06-13-2011 03:49 PM

Post process is limited to 10,000 events. If you want the full amount you can split into unique searches.

Some values are configurable in limits.conf

Reply
Solved! Jump to solution

swdonline
Path Finder
‎01-30-2012 05:42 AM

@jgauthier - He's saying instead of doing a single searchTemplate and then searchPostProcess for each chart, get rid of searchPostProcess and do a searchTemplate within each chart. It means you're going to run more searches, but ultimately will be able to surpass the 10,000 event limit.

0 Karma
Reply
Solved! Jump to solution

jgauthier
Contributor
‎06-14-2011 05:44 AM

I'm not sure I understand "split into unique searches." and how it applies to this. Could you elaborate?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...