Dashboards & Visualizations

the flashtimeline dashboard only shows first 1000 events

dmlee
Communicator

Hi ,

my splunk version is 5.0.3 , I find the flashtimeline dashboard shows only the first 1000 events if the number of my search result is large then 1000 events

for example I search "index=_internal | head 1010" , Splunk shows there are 1010 events match my search command , but in "Paginator's" module , it only show 20 pages (50 events per page)

any idea about that ? thanks

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

Please increase max_events_per_bucket in limits.conf:

[search]
max_events_per_bucket = 1000

Here is the description in document http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf:

  • For searches with status_buckets>1 (i.e. Timeline), this setting will specify the maximum number of events to store per timeline bucket.
  • Defaults to 1000 in code. (limits.conf in default will override to 10000 for 4.3.x until 5.0 to maintain existing behavior until the next major release)

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

Please increase max_events_per_bucket in limits.conf:

[search]
max_events_per_bucket = 1000

Here is the description in document http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf:

  • For searches with status_buckets>1 (i.e. Timeline), this setting will specify the maximum number of events to store per timeline bucket.
  • Defaults to 1000 in code. (limits.conf in default will override to 10000 for 4.3.x until 5.0 to maintain existing behavior until the next major release)
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...