Splunk Search

How to expand 500 limits event for Transaction command?

Path Finder

When I run transaction command, some transaction may be more than 500 events but splunk split it to a set of 500 events and show message below :

Show most relevant lines (Exceeds 500 limit)

How to expand this limitation?

Tags (2)
1 Solution

Engager

The right asnwear is :
http://splunk-base.splunk.com/answers/26392/show-most-relevant-lines-exceeds-500-limit

You have to modify the xml file to set a higher limit.

Using maxevents=1000 do nothing, as the maxevents is already at 1000 by default.
The limitation is on the display, not on the search.

View solution in original post

0 Karma

Engager

The right asnwear is :
http://splunk-base.splunk.com/answers/26392/show-most-relevant-lines-exceeds-500-limit

You have to modify the xml file to set a higher limit.

Using maxevents=1000 do nothing, as the maxevents is already at 1000 by default.
The limitation is on the display, not on the search.

View solution in original post

0 Karma

Path Finder

I am also interetesed ... the maxevents above 500 are ignored ... so there must be a setting somewhere that overrules it with max 500

0 Karma

Builder

add the "maxevents=" to your transaction command.

example

 index=main * | transaction blah maxevents=1000 maxspan=15s
0 Karma

New Member

hi ,
can you please tell me that xml filename with directory.

0 Karma