Getting Data In

Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

Engager

Hello All,

I want to count how many sessions are alive from a single IP.

I have a problem with the window size of this splunk query gets to big:

index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m 
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time 
| sort 0 - _time 
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP 
| search COUNT_SESSIONID > 50 
| table _time IP COUNT_SESSIONID

Splunk tell me, that "The maximum window size (10000) was reached.".

What can I do? Is there any way to get the complete output of the SPL Query?

Thank you for your help!

0 Karma
1 Solution

Champion

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma

Path Finder

You have too many events in the time_window=30m timeframe for streamstats to handle (default=10'000). Considering your event count of close to 1 billion I would recommend to go for fixed instead of sliding 30 minute windows:

 index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
 | bin _time span=30m 
 | stats dc(SESSIONID) as COUNT_SESSIONID by IP _time 
 | search COUNT_SESSIONID > 50 
 | table _time IP COUNT_SESSIONID

Not exactly what you are looking for, but an approximation, which hopefully is good enough.

Champion

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma

Path Finder

The message is not caused by a lack of disk quota, but by the maximum window size used when using the time_window option to the streamstats command. Increasing srchDiskQuota won't help.

0 Karma

Engager

I forgot to say that I have 977'887'114 Events in that app / sourcetype.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!