In a search executed via Python SDK, the stat list truncates results to 100 results, despite the fact that count=0.
Is there another config or variable that controls stats to remove this limit?
The way to do this is to increase the list_maxsize configuration in the limits.conf
https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bstats.7Csistats.5D
Is config accessible to individual end user accounts for Splunk Enterprise? Specifically I'm accessing using Python SDK. So for example we set count=0 in the query. Can we similarly set list_maxsize=0?
@arjunpkishore5 , I tried setting list_maxsize=0 in the python SDK kwarg the same way that I set count=0 but it did not have any effect, it's still retuning a max 100 list. I don't have admin priviledges. Is there a way for end-users to change this default value via SDK?
Have you tried changing your strategy. Instead of using list, It might be possible to return data as rows depending on what you're trying to do. Can you post the query you're using?
We can't share the whole query, but it is simply a rex to match desired identifiers piped into the stats: "...| rex "ID=(?P[^ ]+)" | stats dc(Id), list(Id) by Client". I need the explicit Id list to cross-check against a separate query that extracts events (actually b/c we suspect the Python SDK Json reader is not getting all the results- but that's a separate issue). Can you explain how to use the row strategy to get the Id's?
Change your stats as follows
|stats count as total by Id, Client |eventstats dc(Id) as total by Client
Now you'll have these in each row. and the column total will hold the unique number of id's per client.
End users cannot override this . This is to be done by admin in the limits.conf
why do you need stats list
?
itll create (most of the time) a huge multi-value field
Need an explicit list of Ids in to compute a Venn diagram against those extracted from _raw event data.