Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on results blocked to 10000

jip31
Motivator
‎12-04-2020 04:51 AM

hello

The search below works fine except that the onlinecount fields is blocked to 10000

 

`OnOff` 
| stats latest(_time) as _time by host 
| eval DiffInSeconds = (now() - _time) 
| eval DiffInMinutes=DiffInSeconds/60 
| eval Status=if(DiffInSeconds<3601, "Online", "Offline") 
| eval EventCreatedTime=strftime(_time,"%d-%b-%Y %H:%M:%S %p %Z" ) 
| table host EventCreatedTime DiffInMinutes Status 
| sort -EventCreatedTime 
| eval Code = if(like(Status,"Online"), "Online", "Offline") 
| lookup host_OnOff.csv HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE_USER 
| stats dc(host) AS OnlineCount by Code 
| where Code = "Online" 
| appendcols 
    [| inputlookup host_OnOff.csv 
    | rename HOSTNAME as host 
    | search SITE=*
    | search RESPONSIBLE_USER=*
    | stats dc(host) as NbIndHost] 
| fields OnlineCount NbIndHost 
| eval OnlineCount = if(OnlineCount> 0, tostring(OnlineCount), "") + " / " + NbIndHost + " machines "

 

host_OnOff.csv is updated automatically from the scheduled search below :

| inputlookup fo_all 
| table HOSTNAME SITE CATEGORY RESPONSIBLE_USER DEPARTMENT 
| outputlookup host_OnOff.csv

how to avoid this please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎12-06-2020 07:19 AM

The sort will limit number of results to 10000 by default if you don't specify 0. check more info of sort here

 | sort -EventCreatedTime 

————————————
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎12-06-2020 07:19 AM

The sort will limit number of results to 10000 by default if you don't specify 0. check more info of sort here

 | sort -EventCreatedTime 

————————————
If this helps, give a like below.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...