Splunk Enterprise

How to increase the number of results in "show source" in Splunk to 10000?

super_saiyan
Communicator

How do i increase the Number of results in "show source" in Splunk to 10000. Now the maximum limit is 1000.
Please refer to the screen print.

 

super_saiyan_0-1686132347782.png

 

Labels (1)
0 Karma

danspav
SplunkTrust
SplunkTrust

Hi @super_saiyan,

 

You can update limits.conf to change the Show Source settings.  The docs mention that results are "pruned" so while you increase the limit, you may still not get an increase in events displayed.

https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bshow_source.5D

[show_source]
distributed = <boolean>
* Whether or not a distributed search is performed to get events from all
  servers and indexes.
* Turning this off results in better performance for show source, but events
  will only come from the initial server and index.
* Default: true

distributed_search_limit = <unsigned integer>
* The maximum number of events that are requested when performing a search
  for distributed show source.
* As this is used for a larger search than the initial non-distributed show
  source, it is larger than max_count
* Splunk software rarely returns anywhere near this number of results,
  as excess results are pruned.
* The point is to ensure the distributed search captures the target event in an environment with many events.
* Default: 30000

max_count = <integer>
* Maximum number of events accessible by show_source.
* The show source command will fail when more than this many events are in the same second as the requested event.
* Default: 10000

max_timeafter = <timespan>
* Maximum time after requested event to show.
* Default: '1day' (86400 seconds)

max_timebefore = <timespan>
* Maximum time before requested event to show.
* Default: '1day' (86400 seconds)

 

Cheers,

Daniel

0 Karma

super_saiyan
Communicator

any help ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...