Splunk Enterprise

help on results blocked to 10000

jip31
Motivator

hello

The search below works fine except that the onlinecount fields is blocked to 10000

 

`OnOff` 
| stats latest(_time) as _time by host 
| eval DiffInSeconds = (now() - _time) 
| eval DiffInMinutes=DiffInSeconds/60 
| eval Status=if(DiffInSeconds<3601, "Online", "Offline") 
| eval EventCreatedTime=strftime(_time,"%d-%b-%Y %H:%M:%S %p %Z" ) 
| table host EventCreatedTime DiffInMinutes Status 
| sort -EventCreatedTime 
| eval Code = if(like(Status,"Online"), "Online", "Offline") 
| lookup host_OnOff.csv HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE_USER 
| stats dc(host) AS OnlineCount by Code 
| where Code = "Online" 
| appendcols 
    [| inputlookup host_OnOff.csv 
    | rename HOSTNAME as host 
    | search SITE=*
    | search RESPONSIBLE_USER=*
    | stats dc(host) as NbIndHost] 
| fields OnlineCount NbIndHost 
| eval OnlineCount = if(OnlineCount> 0, tostring(OnlineCount), "") + " / " + NbIndHost + " machines "

 

host_OnOff.csv is updated automatically from the scheduled search below :

| inputlookup fo_all 
| table HOSTNAME SITE CATEGORY RESPONSIBLE_USER DEPARTMENT 
| outputlookup host_OnOff.csv

how to avoid this please??

Tags (1)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

The sort will limit number of results to 10000 by default if you don't specify 0. check more info of sort here

 | sort -EventCreatedTime 

————————————
If this helps, give a like below.

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

The sort will limit number of results to 10000 by default if you don't specify 0. check more info of sort here

 | sort -EventCreatedTime 

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...