Re: Impact of Increasing the limit of stats list()...

ahmadshakir1952 · ‎01-21-2020

I am using stats list() for a use case. But the data I am dealing is lot more, than the limit that is set to =100 in limit.conf for stats list() function. I thought about using Stats Values(), but as it breaks the event order, I am stuck with stats list().

I am thinking of increasing the limit of stats list() from 100 to say 1,00,000 for example.

What I am concerned about is, will there be any performance issue if I increase the stats list() or will there be any problem if I increase it? Just to be on the safe side.

Any help would be appreciated.

to4kawa · ‎01-22-2020

| makeresults count=100000
| streamstats count
| stats list(count) as list_100000

Hi, @ahmadshakir1952
As I run this query, It is certainly omitted.

I don't know your query. What's your query?
There may be alternatives.

soumyasaha25 · ‎01-22-2020

On your question about the performance impact, you might end up running into OOM issues and your search performance might also get degraded, as suggested by @to4kawa there might be alternatives available, if you can post your query and some mockup data and the desired output we can try to help you out

Impact of Increasing the limit of stats list() from 100 to say 1,00,000

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?