Splunk Search

How to remove stats list limits that result to 100 despite count=0?

alancalvitti
Path Finder

In a search executed via Python SDK, the stat list truncates results to 100 results, despite the fact that count=0.
Is there another config or variable that controls stats to remove this limit?

0 Karma

arjunpkishore5
Motivator

The way to do this is to increase the list_maxsize configuration in the limits.conf

https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bstats.7Csistats.5D

0 Karma

alancalvitti
Path Finder

Is config accessible to individual end user accounts for Splunk Enterprise? Specifically I'm accessing using Python SDK. So for example we set count=0 in the query. Can we similarly set list_maxsize=0?

0 Karma

alancalvitti
Path Finder

@arjunpkishore5 , I tried setting list_maxsize=0 in the python SDK kwarg the same way that I set count=0 but it did not have any effect, it's still retuning a max 100 list. I don't have admin priviledges. Is there a way for end-users to change this default value via SDK?

0 Karma

arjunpkishore5
Motivator

Have you tried changing your strategy. Instead of using list, It might be possible to return data as rows depending on what you're trying to do. Can you post the query you're using?

0 Karma

alancalvitti
Path Finder

We can't share the whole query, but it is simply a rex to match desired identifiers piped into the stats: "...| rex "ID=(?P[^ ]+)" | stats dc(Id), list(Id) by Client". I need the explicit Id list to cross-check against a separate query that extracts events (actually b/c we suspect the Python SDK Json reader is not getting all the results- but that's a separate issue). Can you explain how to use the row strategy to get the Id's?

0 Karma

arjunpkishore5
Motivator

Change your stats as follows
|stats count as total by Id, Client |eventstats dc(Id) as total by Client

Now you'll have these in each row. and the column total will hold the unique number of id's per client.

0 Karma

arjunpkishore5
Motivator

End users cannot override this . This is to be done by admin in the limits.conf

0 Karma

adonio
Ultra Champion

why do you need stats list ?
itll create (most of the time) a huge multi-value field

0 Karma

alancalvitti
Path Finder

Need an explicit list of Ids in to compute a Venn diagram against those extracted from _raw event data.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...