Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the custom search command display only 1000 events?

jibanes
Path Finder
‎09-02-2018 11:12 AM

The following custom search command (which should return 100,000 displays) returns only 1000 events in Splunk. The rest of the events seems to be accounted for, but are not displayed; Splunk 6.x and 7.x:

import splunk.clilib.cli_common as spcli
import splunk.Intersplunk
import sys
import time

keywords, options = splunk.Intersplunk.getKeywordsAndOptions()

def main(args):
  results = []
  row = {}
  for i in range(0,100000):
    record = {}
    record['_time'] = time.time()
    record['_raw'] = "{" + str(i) + "}"
    results.append(record)
  splunk.Intersplunk.outputStreamResults(results)
  exit()
main(sys.argv)

commands.conf:

[test]
filename = test.py
local = true
overrides_timeorder = true
streaming = true
supports_multivalues = true
generating = stream

alt text

Preview file
1 KB
0 Karma
Reply

mchang_splunk
Splunk Employee
Splunk Employee
‎09-26-2018 06:16 PM

This is because by default it's limited at 1000 in code.

You can increase this value in limits.conf:
[search]
max_events_per_bucket = xxxx

Please refer to this answer:
https://answers.splunk.com/answers/92979/the-flashtimeline-dashboard-only-shows-first-1000-events.ht...

0 Karma
Reply

Lazarix
Communicator
‎09-02-2018 03:12 PM

look for limits.conf

Configure:

[searchresults]
maxresultrows = 100000
0 Karma
Reply

jibanes
Path Finder
‎09-02-2018 03:26 PM

No that doesn't seem to change the behavior, I added this in limits.conf, then restarted splunk.

/opt/splunk/bin/splunk btool limits list | grep -A10 searchresults
[searchresults]
compression_level = 1
max_mem_usage_mb = 200
maxresultrows = 100000
tocsv_maxretry = 5
tocsv_retryperiod_ms = 500
[set]
max_mem_usage_mb = 200
maxresultrows = 50000
[show_source]
distributed = true

Same behavior as previously reported though... only 10,000 results visible.

Note that the same behavior is observed with the default splunk command:

| streambag chunks=100

there are no events passed page #20. Exact same behavior.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...