Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Query Limit on a UI view?

jgauthier
Contributor
‎06-13-2011 11:12 AM

I've built a very small example to reproduce a problem I am having. Using this page as an example:
http://www.splunk.com/base/Documentation/4.2.1/Developer/FormSearchPostProcess

I've built a dashboard that looks like this:


  <searchTemplate>sourcetype="Exchange2010" sender="$sender$"</searchTemplate>

  <fieldset>
    <input type="text" token="sender">
      <label>Sender</label>
      <seed>*</seed>
    </input>

    <input type="time">
    <default>Last 30 days</default>
    </input>
  </fieldset>

  <row>
    <chart>
      <title>Requests over time for result set</title>
      <searchPostProcess>timechart count as "Requests"</searchPostProcess>
      <option name="charting.chart">column</option>
    </chart>
  </row>

  <row>
    <chart>
      <title>Top users in result set</title>
      <searchPostProcess>top 10 recipient</searchPostProcess>
      <option name="charting.chart">pie</option>
    </chart>

  </row>

  <row>
    <table>
      <title>Requests in result set</title>
      <searchPostProcess>sort - _time | fields _time, sender, recipient</searchPostProcess>
      <fields>_time, sender, recipient</fields>
      <option name="showPager">true</option>
      <option name="count">30</option>
      <option name="displayRowNumbers">false</option>
      </table>
  </row>
</form>

Regardless of the "Time" chosen, the query seems to abort just after hitting 10,000 rows.
Is this a known limitation? Is there a configuration change I can make to get more?
In some instances, this is only good for a day or two of data, and after that short data. for instance, I can select 30 days, but I really only get about 6.

It always seems to stop short. I'm not sure why, but I never get more than 13,000 records.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

melting
Splunk Employee
Splunk Employee
‎06-13-2011 03:49 PM

Post process is limited to 10,000 events. If you want the full amount you can split into unique searches.

Some values are configurable in limits.conf

View solution in original post

Reply
Solved! Jump to solution
Solution

melting
Splunk Employee
Splunk Employee
‎06-13-2011 03:49 PM

Post process is limited to 10,000 events. If you want the full amount you can split into unique searches.

Some values are configurable in limits.conf

Reply
Solved! Jump to solution

swdonline
Path Finder
‎01-30-2012 05:42 AM

@jgauthier - He's saying instead of doing a single searchTemplate and then searchPostProcess for each chart, get rid of searchPostProcess and do a searchTemplate within each chart. It means you're going to run more searches, but ultimately will be able to surpass the 10,000 event limit.

0 Karma
Reply
Solved! Jump to solution

jgauthier
Contributor
‎06-14-2011 05:44 AM

I'm not sure I understand "split into unique searches." and how it applies to this. Could you elaborate?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...