Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a stats command error for limit reached?

mbasharat
Builder
‎02-25-2019 12:39 PM

Hi,

I have a report about hosts and vulnerabilities. It has about 30k hosts with list of vulnerabilities they are affected with and total of vulnerabilities for each host. Query runs fine and report generated is exactly what I need.

Problem is when I reference this report in dashboard. I am not getting all results and seeing below error.

'stats' command: limit for values of field 'vulnerability_id' reached. Some values may have been truncated or ignored.

How do I increase this limit or solve this issue?

I will need the exact configuration file name, location and stanza that needs to be fixed and the value it should have to accommodate larger results.

I have only one development server in the sandbox. Production is a clustered environment, so if there is something that needs to be adjusted, how do I do that in both environments?

Thanks in-advance.
alt text

Preview file
15 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution

mbasharat
Builder
‎02-26-2019 12:25 PM

I ended up using values instead of list because value removes duplicates reducing the number of rows yet keeping the distinct count accurate. This resolved my issues until values field's size increase in near or far future. Thanks.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-25-2019 03:55 PM

@mbasharat You can try |mvexpand Vulnerability_ID|mvexpand Severity| stats dc(Vulnerability_ID) by Severity

Reply
Solved! Jump to solution

mbasharat
Builder
‎02-25-2019 04:57 PM

Hi @ Vijeta,

Did you mean to run your provided query in the dashboard panel which has base search referencing to my report OR to have this in report like below? Below stanza did not return any result in the dashboard panel.

| mvexpand Vulnerability_ID | mvexpand Severity | stats dc(Vulnerability_ID) by Severity

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-26-2019 12:25 PM

I ended up using values instead of list because value removes duplicates reducing the number of rows yet keeping the distinct count accurate. This resolved my issues until values field's size increase in near or far future. Thanks.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-25-2019 05:17 PM

I was referecing about postprocess search in 2nd panel. Also in second panel it will be better if you do not use base search and write index=sample| stats dc(Vulnerability_ID) as Count by Severity

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-25-2019 01:10 PM

What's your stats-search ? I'm assuming you're using a values(.. OR list(.. which creates a multivalued field and getting truncated because of multivalued fields's memory limitation.

Reply
Solved! Jump to solution

mbasharat
Builder
‎02-25-2019 03:46 PM

Hi @somesoni2,

Yes, the report's sample query is:

index=sample
| stats dc(vulnerability_id) AS Count, list(vulnerability_id) AS Vulnerability_ID, list(severity) AS Severity BY host
| lookup DB hostname AS host OUTPUT Ip, Organization
| fillnull value="Unknown"

Also, when I reference report in dashboard panels, all is working as I need, except this error in the question.

Additionally, when I try to do another panel using same report reference in the same dashboard and do
| stats dc(Vulnerability_ID) as Count by Severity,
it is also not breaking it down by severity, instead giving the total count as 5. I would like to break it down by severity as well where count for each severity should be 1 respectively. Seems like issue with count of cell value/s?

The result is in the revised question. Comments are not allowing me to attach screenshot from my local.

Thanks.

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-26-2019 12:25 PM

I ended up using values instead of list because value removes duplicates reducing the number of rows yet keeping the distinct count accurate. This resolved my issues until values field's size increase in near or far future. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...