When I run transaction command, some transaction may be more than 500 events but splunk split it to a set of 500 events and show message below :
Show most relevant lines (Exceeds 500 limit)
How to expand this limitation?
The right asnwear is :
http://splunk-base.splunk.com/answers/26392/show-most-relevant-lines-exceeds-500-limit
You have to modify the xml file to set a higher limit.
Using maxevents=1000 do nothing, as the maxevents is already at 1000 by default.
The limitation is on the display, not on the search.
The right asnwear is :
http://splunk-base.splunk.com/answers/26392/show-most-relevant-lines-exceeds-500-limit
You have to modify the xml file to set a higher limit.
Using maxevents=1000 do nothing, as the maxevents is already at 1000 by default.
The limitation is on the display, not on the search.
I am also interetesed ... the maxevents above 500 are ignored ... so there must be a setting somewhere that overrules it with max 500
add the "maxevents=" to your transaction command.
example
index=main * | transaction blah maxevents=1000 maxspan=15s
hi ,
can you please tell me that xml filename with directory.