Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Visualization limit
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
with the search below I identify the account locked-out - I am using "column chart" output and under visualization format there is no limit but as result only ten Account names are displayed. I have no idea where this limit has been introduced and I need to display all Account locked-out
Thank you in advance for the attention given
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart span=1h useother=f count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart limit=0 span=1h useother=f count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=wineventlog source="WinEventLog:Security" sourcetype="WinEventLog:Security" Account_Name="*" EventCode=4740 OR EventCode=644 AND Account_Name!=Guest AND Account_Name!=Administrator AND Account_Name!=Anonymous | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | timechart limit=0 span=1h useother=f count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The timechart command has a limit option, I thought the default was documented, but don't see it in the docs. This earlier answer states the default is 10.
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep like Dave said there is a limit=X option for timechart. Timechart can be a bear to display properly. Depending on the time range the search is run in, I often have to slice it into bigger slices using span= as well as limit.
So. If you're doing a 30 day search your timechart might look like this to get the top 50 accounts per day.
| timechart span=1d useother=f limit=50 count by Account_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Dave
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
