Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why my search query returns only top 10k records?

akarivaratharaj
Communicator
‎02-16-2021 10:24 PM

I have a very basic search query to display ID and it's respective name. There are 1.3 lakhs of data events under the respective sourcetype and all the events have ID and name field in it.

When I run the search query to display the ID and name, only top 10,000 records are displaying.

I have tried to display the results using stats command, table command, chart command and  fields + table command. In all of these methods only top 10k records are showing in the statistics section.

But I need all the 1.3 lakh IDs and Names to be displayed so that I can output those data to a lookup file.

Here is my search query

index=main source=splunk_id_name.log sourcetype=id_metric host=xxx
|stats values(name) by id
|sort id
|rename id AS ID name AS Name

 

Is this the limit of records which can be displayed in Splunk? Or am I missing with any other command?


I need this very urgently. Could anyone please help me on this to get resolved as soon as possible.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 12:16 AM

sort has a default limit of 10000 try

| sort 0 id

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 12:16 AM

sort has a default limit of 10000 try

| sort 0 id
Reply
Solved! Jump to solution

akarivaratharaj
Communicator
‎02-17-2021 09:31 AM

Thankyou @ITWhisperer  it's worked for me.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...