Getting Data In

Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

barlettal
Engager

Hello All,

I want to count how many sessions are alive from a single IP.

I have a problem with the window size of this splunk query gets to big:

index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m 
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time 
| sort 0 - _time 
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP 
| search COUNT_SESSIONID > 50 
| table _time IP COUNT_SESSIONID

Splunk tell me, that "The maximum window size (10000) was reached.".

What can I do? Is there any way to get the complete output of the SPL Query?

Thank you for your help!

0 Karma
1 Solution

p_gurav
Champion

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma

usd0872
Path Finder

You have too many events in the time_window=30m timeframe for streamstats to handle (default=10'000). Considering your event count of close to 1 billion I would recommend to go for fixed instead of sliding 30 minute windows:

 index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
 | bin _time span=30m 
 | stats dc(SESSIONID) as COUNT_SESSIONID by IP _time 
 | search COUNT_SESSIONID > 50 
 | table _time IP COUNT_SESSIONID

Not exactly what you are looking for, but an approximation, which hopefully is good enough.

p_gurav
Champion

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma

usd0872
Path Finder

The message is not caused by a lack of disk quota, but by the maximum window size used when using the time_window option to the streamstats command. Increasing srchDiskQuota won't help.

0 Karma

barlettal
Engager

I forgot to say that I have 977'887'114 Events in that app / sourcetype.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!