Solved: help on results blocked to 10000

jip31 · ‎12-04-2020

hello

The search below works fine except that the onlinecount fields is blocked to 10000

`OnOff` 
| stats latest(_time) as _time by host 
| eval DiffInSeconds = (now() - _time) 
| eval DiffInMinutes=DiffInSeconds/60 
| eval Status=if(DiffInSeconds<3601, "Online", "Offline") 
| eval EventCreatedTime=strftime(_time,"%d-%b-%Y %H:%M:%S %p %Z" ) 
| table host EventCreatedTime DiffInMinutes Status 
| sort -EventCreatedTime 
| eval Code = if(like(Status,"Online"), "Online", "Offline") 
| lookup host_OnOff.csv HOSTNAME as host output SITE DEPARTMENT RESPONSIBLE_USER 
| stats dc(host) AS OnlineCount by Code 
| where Code = "Online" 
| appendcols 
    [| inputlookup host_OnOff.csv 
    | rename HOSTNAME as host 
    | search SITE=*
    | search RESPONSIBLE_USER=*
    | stats dc(host) as NbIndHost] 
| fields OnlineCount NbIndHost 
| eval OnlineCount = if(OnlineCount> 0, tostring(OnlineCount), "") + " / " + NbIndHost + " machines "

host_OnOff.csv is updated automatically from the scheduled search below :

| inputlookup fo_all 
| table HOSTNAME SITE CATEGORY RESPONSIBLE_USER DEPARTMENT 
| outputlookup host_OnOff.csv

how to avoid this please??

thambisetty · ‎12-06-2020

The sort will limit number of results to 10000 by default if you don't specify 0. check more info of sort here

| sort -EventCreatedTime

————————————
If this helps, give a like below.

View solution in original post

thambisetty · ‎12-06-2020

The sort will limit number of results to 10000 by default if you don't specify 0. check more info of sort here

| sort -EventCreatedTime

————————————
If this helps, give a like below.

help on results blocked to 10000

Other

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout