I am revamping a dashboard that was written using Splunk 5.0.14 to Splunk 6.2.5. I have both versions running on top of the same events. I noticed that my v6 dashboard has incorrect counts for all of my charts. These are month long views of different stats (like -1mon@mon TO @mon
), so there are a lot of events involved - and all the searches are saved and scheduled.
When I run the v6 searches for a smaller time range (interactively), say a few days, then the counts are accurate. So I'm assuming there is some implicit return limit on searches that was not in place in v5.0.14. How can I increase the limit on my saved searches? Thanks!
The default value of 50000 can be modified by editing the [searchresults] stanza in limits.conf:
[searchresults]
maxresultrows = 100000
index=x sourcetype=y (keyword OR keyword) (keyword OR keyword OR keyword) | eval WaitTime=totalTimeCreateToFinish - timeStartToFinish)/60000 | eval runTime=timeStartToFinish/60000 | eval type=replace(name, "blah", "") | eval type=replace(type, "blah", "") | eval type=replace(type, "blah", "") | fields req_field1,req_field2....
Don't use fields * and dedup _raw --- this will cause high splunk processing performance. Better use top or head command.
The default value of 50000 can be modified by editing the [searchresults] stanza in limits.conf:
[searchresults]
maxresultrows = 100000
index=x sourcetype=y (keyword OR keyword) (keyword OR keyword OR keyword) | eval WaitTime=totalTimeCreateToFinish - timeStartToFinish)/60000 | eval runTime=timeStartToFinish/60000 | eval type=replace(name, "blah", "") | eval type=replace(type, "blah", "") | eval type=replace(type, "blah", "") | fields req_field1,req_field2....
Don't use fields * and dedup _raw --- this will cause high splunk processing performance. Better use top or head command.
Thanks for the ideas. I will be specific with the dedup & fields statements and see if that helps. Do you know if the maxresultrows default value has changed since v5.0?
There's nothing at all complicated in these searches. Here's a sample:
index=x sourcetype=y (keyword OR keyword) (keyword OR keyword OR keyword)
| dedup _raw | eval WaitTime=totalTimeCreateToFinish/60000 - timeStartToFinish/60000 | eval runTime=timeStartToFinish/60000
| eval type=replace(name, "blah", "") | eval type=replace(type, "blah", "") | eval type=replace(type, "blah", "") | fields *
can you include your search (stripped of confidential information, of course) so that we can see what elements are included in the search? there are limits to joins/sorts/etc. and ways to avoid such things and increase efficiency