Splunk Search

How to expand 500 limits event for Transaction command?

TheGU
Path Finder

When I run transaction command, some transaction may be more than 500 events but splunk split it to a set of 500 events and show message below :

Show most relevant lines (Exceeds 500 limit)

How to expand this limitation?

Tags (2)
1 Solution

orenault
Engager

The right asnwear is :
http://splunk-base.splunk.com/answers/26392/show-most-relevant-lines-exceeds-500-limit

You have to modify the xml file to set a higher limit.

Using maxevents=1000 do nothing, as the maxevents is already at 1000 by default.
The limitation is on the display, not on the search.

View solution in original post

0 Karma

orenault
Engager

The right asnwear is :
http://splunk-base.splunk.com/answers/26392/show-most-relevant-lines-exceeds-500-limit

You have to modify the xml file to set a higher limit.

Using maxevents=1000 do nothing, as the maxevents is already at 1000 by default.
The limitation is on the display, not on the search.

0 Karma

bowa
Path Finder

I am also interetesed ... the maxevents above 500 are ignored ... so there must be a setting somewhere that overrules it with max 500

0 Karma

bbingham
Builder

add the "maxevents=" to your transaction command.

example

 index=main * | transaction blah maxevents=1000 maxspan=15s
0 Karma

harshsarode1234
New Member

hi ,
can you please tell me that xml filename with directory.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...