Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

barlettal
Engager
‎03-12-2018 03:31 AM

Hello All,

I want to count how many sessions are alive from a single IP.

I have a problem with the window size of this splunk query gets to big:

index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m 
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time 
| sort 0 - _time 
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP 
| search COUNT_SESSIONID > 50 
| table _time IP COUNT_SESSIONID

Splunk tell me, that "The maximum window size (10000) was reached.".

What can I do? Is there any way to get the complete output of the SPL Query?

Thank you for your help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

p_gurav
Champion
‎03-12-2018 06:00 AM

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎03-15-2018 01:08 AM

You have too many events in the time_window=30m timeframe for streamstats to handle (default=10'000). Considering your event count of close to 1 billion I would recommend to go for fixed instead of sliding 30 minute windows:

 index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
 | bin _time span=30m 
 | stats dc(SESSIONID) as COUNT_SESSIONID by IP _time 
 | search COUNT_SESSIONID > 50 
 | table _time IP COUNT_SESSIONID

Not exactly what you are looking for, but an approximation, which hopefully is good enough.

Reply
Solved! Jump to solution
Solution

p_gurav
Champion
‎03-12-2018 06:00 AM

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎03-14-2018 09:23 AM

The message is not caused by a lack of disk quota, but by the maximum window size used when using the time_window option to the streamstats command. Increasing srchDiskQuota won't help.

0 Karma
Reply
Solved! Jump to solution

barlettal
Engager
‎03-12-2018 04:57 AM

I forgot to say that I have 977'887'114 Events in that app / sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...