How to increase transaction command output limit a...

Splunk Search

Hi Team,

I have events being pushed to HTTP event collector 24/7. In my dashboard I query and format the events using transaction command based on a field traceparent. It's working fine, but the report is only showing 4999 transactions. Is it a limit set on the Splunk server? Where are these limits set and are there any guidelines to increase it without impacting server performance negatively?

I also observed that if by 10AM in a day I got 4999 transactions then the new transactions which came after 10AM are not displayed by the query. I have to change the timer to 'last 60 min', 'last 15 min' etc to get the latest ones. Even if my query hits the top line limit of 4999, how to make sure that those 4999 transactions are the latest (from the time the query is executed) and not the old ones? Like if run the query at 2PM, I want to get those 4999 transactions from 2PM down till 11AM etc. How to achieve that?

Thank you.

Get Updates on the Splunk Community!

How to increase transaction command output limit and always fetch latest transactions?

stats

transaction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation