Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with a stats command error for limit reached?

mbasharat
Builder
‎02-25-2019 12:39 PM

Hi,

I have a report about hosts and vulnerabilities. It has about 30k hosts with list of vulnerabilities they are affected with and total of vulnerabilities for each host. Query runs fine and report generated is exactly what I need.

Problem is when I reference this report in dashboard. I am not getting all results and seeing below error.

'stats' command: limit for values of field 'vulnerability_id' reached. Some values may have been truncated or ignored.

How do I increase this limit or solve this issue?

I will need the exact configuration file name, location and stanza that needs to be fixed and the value it should have to accommodate larger results.

I have only one development server in the sandbox. Production is a clustered environment, so if there is something that needs to be adjusted, how do I do that in both environments?

Thanks in-advance.
alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution

mbasharat
Builder
‎02-26-2019 12:25 PM

I ended up using values instead of list because value removes duplicates reducing the number of rows yet keeping the distinct count accurate. This resolved my issues until values field's size increase in near or far future. Thanks.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-25-2019 03:55 PM

@mbasharat You can try |mvexpand Vulnerability_ID|mvexpand Severity| stats dc(Vulnerability_ID) by Severity

Reply
Solved! Jump to solution

mbasharat
Builder
‎02-25-2019 04:57 PM

Hi @ Vijeta,

Did you mean to run your provided query in the dashboard panel which has base search referencing to my report OR to have this in report like below? Below stanza did not return any result in the dashboard panel.

| mvexpand Vulnerability_ID | mvexpand Severity | stats dc(Vulnerability_ID) by Severity

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-26-2019 12:25 PM

I ended up using values instead of list because value removes duplicates reducing the number of rows yet keeping the distinct count accurate. This resolved my issues until values field's size increase in near or far future. Thanks.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-25-2019 05:17 PM

I was referecing about postprocess search in 2nd panel. Also in second panel it will be better if you do not use base search and write index=sample| stats dc(Vulnerability_ID) as Count by Severity

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-25-2019 01:10 PM

What's your stats-search ? I'm assuming you're using a values(.. OR list(.. which creates a multivalued field and getting truncated because of multivalued fields's memory limitation.

Reply
Solved! Jump to solution

mbasharat
Builder
‎02-25-2019 03:46 PM

Hi @somesoni2,

Yes, the report's sample query is:

index=sample
| stats dc(vulnerability_id) AS Count, list(vulnerability_id) AS Vulnerability_ID, list(severity) AS Severity BY host
| lookup DB hostname AS host OUTPUT Ip, Organization
| fillnull value="Unknown"

Also, when I reference report in dashboard panels, all is working as I need, except this error in the question.

Additionally, when I try to do another panel using same report reference in the same dashboard and do
| stats dc(Vulnerability_ID) as Count by Severity,
it is also not breaking it down by severity, instead giving the total count as 5. I would like to break it down by severity as well where count for each severity should be 1 respectively. Seems like issue with count of cell value/s?

The result is in the revised question. Comments are not allowing me to attach screenshot from my local.

Thanks.

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎02-26-2019 12:25 PM

I ended up using values instead of list because value removes duplicates reducing the number of rows yet keeping the distinct count accurate. This resolved my issues until values field's size increase in near or far future. Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...