Dashboards & Visualizations

the flashtimeline dashboard only shows first 1000 events

dmlee
Communicator

Hi ,

my splunk version is 5.0.3 , I find the flashtimeline dashboard shows only the first 1000 events if the number of my search result is large then 1000 events

for example I search "index=_internal | head 1010" , Splunk shows there are 1010 events match my search command , but in "Paginator's" module , it only show 20 pages (50 events per page)

any idea about that ? thanks

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

Please increase max_events_per_bucket in limits.conf:

[search]
max_events_per_bucket = 1000

Here is the description in document http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf:

  • For searches with status_buckets>1 (i.e. Timeline), this setting will specify the maximum number of events to store per timeline bucket.
  • Defaults to 1000 in code. (limits.conf in default will override to 10000 for 4.3.x until 5.0 to maintain existing behavior until the next major release)

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

Please increase max_events_per_bucket in limits.conf:

[search]
max_events_per_bucket = 1000

Here is the description in document http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf:

  • For searches with status_buckets>1 (i.e. Timeline), this setting will specify the maximum number of events to store per timeline bucket.
  • Defaults to 1000 in code. (limits.conf in default will override to 10000 for 4.3.x until 5.0 to maintain existing behavior until the next major release)
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...