Dashboards & Visualizations

Single Value Viz - These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached.

maffreitas
Path Finder

Hi friends,

I'm facing the error "These results may be truncated. This visualization is configured to display a maximum of 1000 results per series, and that limit has been reached." when try to use a Single Value viz, the Sparkline resource.

I've tried some different approaches shared here on the answer.splunk without success. Do you have any clue?

Regards.

Marcos Freitas

0 Karma

niketn
Legend

[UPDATED] visualization.conf change for Single Value Data count limit is applicable for version 7.0 onward.

[singlevalue]
data_sources.primary.params.count = 1500

@maffreitas, you can change the limit for Single Value data points (default is 1000) using a local copy of visualizations.confand place the same under $SPLUNK_HOME/etc/system/local

[singlevalue]
data_sources.primary.params.count = 1500

This would require a restart/refresh of Splunk. Please try out and confirm!

However, even if this works there will be too many data points crumbled in small saprkline (which would barely make any sense). You should consider Timechart to show so many data points which would atleast give more width to the visualization. The limit for Charts can be set through SimpleXML using Chart Configuration charting.data.count. This is limit is by default 10000 for Charts. Refer to documentation for avoiding/changing Data Truncation limits in visualizations

Following is the Run anywhere example after applying changes to visualizations.conf as stated above and bringing down the limit of chart to 1500 (for testing purpose only) through Simple XML Chart configuration.

    <option name="charting.data.count">1500</option>

The two screenshots have been taken for 1 day's time bucket per minute i.e. (60*24 =1440) and 2 day's time bucket per minute i.e. (2*60*24=2880).

alt text

Following is the Simple XML Code test the limit changes to Single Value and Chart viz.

<dashboard>
  <label>Single Value Trend with more than 1000 data points</label>
  <row>
    <panel>
      <single>
        <title>Single Value ($tokResultCount$ results)</title>
        <search id="baseDummyTimeSeries">
          <!-- Change to start=-2 to generate 2*1440 time-series data for 2 days with 1 min interval-->
          <query>|  gentimes start=-1 increment=1m
|  fields starttime
|  rename starttime as _time
|  eval randomData=round(random()/10000,2)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <set token="tokResultCount">$job.resultCount$</set>
          </done>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051", "0x0877a6", "0xf8be34", "0xf1813f", "0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">0</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Timechart ($tokResultCount$ results)</title>
        <search base="baseDummyTimeSeries">
          <query></query>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="charting.data.count">1500</option>
      </chart>
    </panel>
  </row>
</dashboard>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

maffreitas
Path Finder

Hi @niketnilay ,

This option is not valid for version 6.6.2 (https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Visualizationsconf). Then, when we try to use charting.data.count 1500 it isn't valid for Single Viz.

Regards.

Marcos Freitas

0 Karma

niketn
Legend

@maffreitas , sorry I am on version 7.1.0, so I can not look into 6.6.2 (visualizations.conf configuration for Single Value data count limit is applicable only for version 7.0 onward).

Yes the charting.data.count is applicable only for Charts and not Single Value. So, until you get a solution for Single Value you can use Timechart for showing trends. As stated earlier anyways Single Value Sparline will be too small to show more than 1000 data points.

I am going to add a comment stating applicable only 7.0 onward to my answer and convert it to comment so that others with 6.6. can answer. Also will see if I can get a system with Splunk 6.6 to find the required configuration/workaround for Single Value.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

What is the timechart query you are using for Single Value visualization?
What is the selected Time Range and span used for timechart?

Can you try removing span=<yourSelectedSpan> argument from your timechart command (so that the command picks up default span based on selected time range)?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

maffreitas
Path Finder

Hi @niketnilay,

It's a requirement show per minute (so, the span is equal 1m). And the range is last 24 hs (60 * 24 = 1440 occurrences).

Regards.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...