Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query Limit on a UI view?

jgauthier
Contributor
‎06-13-2011 11:12 AM

I've built a very small example to reproduce a problem I am having. Using this page as an example:
http://www.splunk.com/base/Documentation/4.2.1/Developer/FormSearchPostProcess

I've built a dashboard that looks like this:


  <searchTemplate>sourcetype="Exchange2010" sender="$sender$"</searchTemplate>

  <fieldset>
    <input type="text" token="sender">
      <label>Sender</label>
      <seed>*</seed>
    </input>

    <input type="time">
    <default>Last 30 days</default>
    </input>
  </fieldset>

  <row>
    <chart>
      <title>Requests over time for result set</title>
      <searchPostProcess>timechart count as "Requests"</searchPostProcess>
      <option name="charting.chart">column</option>
    </chart>
  </row>

  <row>
    <chart>
      <title>Top users in result set</title>
      <searchPostProcess>top 10 recipient</searchPostProcess>
      <option name="charting.chart">pie</option>
    </chart>

  </row>

  <row>
    <table>
      <title>Requests in result set</title>
      <searchPostProcess>sort - _time | fields _time, sender, recipient</searchPostProcess>
      <fields>_time, sender, recipient</fields>
      <option name="showPager">true</option>
      <option name="count">30</option>
      <option name="displayRowNumbers">false</option>
      </table>
  </row>
</form>

Regardless of the "Time" chosen, the query seems to abort just after hitting 10,000 rows.
Is this a known limitation? Is there a configuration change I can make to get more?
In some instances, this is only good for a day or two of data, and after that short data. for instance, I can select 30 days, but I really only get about 6.

It always seems to stop short. I'm not sure why, but I never get more than 13,000 records.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

melting
Splunk Employee
Splunk Employee
‎06-13-2011 03:49 PM

Post process is limited to 10,000 events. If you want the full amount you can split into unique searches.

Some values are configurable in limits.conf

View solution in original post

Reply
Solved! Jump to solution
Solution

melting
Splunk Employee
Splunk Employee
‎06-13-2011 03:49 PM

Post process is limited to 10,000 events. If you want the full amount you can split into unique searches.

Some values are configurable in limits.conf

Reply
Solved! Jump to solution

swdonline
Path Finder
‎01-30-2012 05:42 AM

@jgauthier - He's saying instead of doing a single searchTemplate and then searchPostProcess for each chart, get rid of searchPostProcess and do a searchTemplate within each chart. It means you're going to run more searches, but ultimately will be able to surpass the 10,000 event limit.

0 Karma
Reply
Solved! Jump to solution

jgauthier
Contributor
‎06-14-2011 05:44 AM

I'm not sure I understand "split into unique searches." and how it applies to this. Could you elaborate?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...